Security > More stories

29

Law firm seeking leak victims to launch £500m suit at British Airways

British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers. The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app. However, an …
John Leyden, 11 Sep 2018
British Airways website
87

British Airways hack: Infosec experts finger third-party scripts on payment pages

Security experts are debating the cause of the British Airways mega-breach, with external scripts on its payment systems emerging as a prime suspect in the hack. Why infosec folk think it was the payment system Although BA hasn't disclosed the root of the breach, the unusual precision it ascribed to the hack's duration …
John Leyden, 11 Sep 2018
Woman looks sceptical at laptop
65

Email security crisis... What email security crisis?

In late August, Microsoft announced a free service that arguably reveals more about the future of the email business and its struggles with security than several years' worth of earnest press releases. Called AccountGuard, it's Microsoft's answer to the phenomenon of Russian phishing meddling with the US elections and the …
John E Dunn, 11 Sep 2018
phishing
13

Safari, Edge fans: Is that really the website you think you're visiting? URL spoof bug blabbed

A security researcher has disclosed a bug that could be abused to spoof website addresses in either Edge or Safari. Rafay Baloch told The Register that while Microsoft has since patched the flaw (CVE-2018-8383) in its browser, Apple has been dragging its feet on a fix for Safari for weeks, and the browser remains vulnerable …
Shaun Nichols, 11 Sep 2018
wifi
28

Register-Orbi-damned: Netgear account order irks infosec bods

Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers. Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, …
John Leyden, 10 Sep 2018

Tor(ched): Zerodium drops exploit for version 7 of anonymous browser

Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system. The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw. …
Shaun Nichols, 10 Sep 2018
Room with many locks on door

Arms race: SiFive, Hex Five build code safe houses for RISC-V chips

If you've been looking at SiFive's RISC-V-based chip technology and thinking, y'know what, it's missing an Arm TrustZone-style element to run sensitive code, well, here's some good news. And if you're just into processor design and checking out alternatives to Arm CPU cores, then this may be some interesting news. SiFive …
Thomas Claburn, 10 Sep 2018
Man being kicked by oversized leg with city in background
32

Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories

Updated A bunch of Trend Micro anti-malware tools have vanished from Apple's Mac App Store – after they were spotted harvesting and siphoning off users' browser histories. Dr Cleaner, Dr Antivirus, and App Uninstall – utilities owned by the Japan-headquartered security house and distributed on the Mac App Store – are no longer …
Shaun Nichols, 10 Sep 2018
Monty Python's Terry Gilliam as the nude organist in Monty Python's Flying Circus
39

Sextortion scum armed with leaked credentials are persistent pests

Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests. One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using …
John Leyden, 10 Sep 2018
spank

Gits exposed, kinky app devs spanked, Feds spy on spyware buyers, etc

Roundup This week brought with it a Supermicro shoring up firmware security, a North Korean hacking charge, and a spying anti-adware macOS tool getting yanked by Apple from its App Store. Elsewhere, we had… BrokenType broken out with source code release A software vulnerability probing tool called BrokenType had appeared in public on …
Shaun Nichols, 08 Sep 2018
91

Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge

The upcoming 2020 US presidential election should be conducted on paper, since there is no way currently to make electronic and internet voting secure. That's according to a dossier from the National Academies of Sciences, Engineering, and Medicine, which probed the fallout of alleged Russian meddling with America's 2016 …
Shaun Nichols, 07 Sep 2018
sinister doctor
20

Top antivirus tool nuked from macOS App Store – after it phoned browser histories to China

Apple has removed an app called Adware Doctor:Anti Malware &Ad from the macOS App Store following claims it sent users' browser histories to a remote server in China. The app's misbehavior was first noted by a security researcher who goes by name Privacyis1st on Twitter and claims to have alerted Apple to the weirdness in …
Thomas Claburn, 07 Sep 2018
Virtual money enters man's online wallet
13

Silicon Valley CEO admits $1.5m wire fraud: Bouxtie boss forged signatures to investors

Bouxtie had everything you can dream of in a Silicon Valley startup. A stupid name (it's pronounced "bow-tie"), a vastly over-confident CEO with a story, millions in VC money, and a nonsensical business model built around an app. And yet this week its chief exec Renato Libric pleaded guilty, in a US federal district court, to …
Kieren McCarthy, 07 Sep 2018
THAT sand penis on BA.com. Just to the left of the L in 'Last minute deals'
61

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Exclusive Just weeks before being hacked in late August, British Airways' parent IAG was planning to outsource its cybersecurity to IBM, admitting it needed a "group-wide strategic and proactive approach" to counter threats. The memo in full Subject: Group IT Cyber Security Update From: John Hamilton Sent: 01 August 2018 13:56 All …
John Leyden, 07 Sep 2018
38

Feel the shame: Email-scammed staffers aren't telling bosses about it

The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed. Stats from the bank showed the average loss from so-called "business email compromise" (BEC) frauds has reached £27,000. IT workers are …
John E Dunn, 07 Sep 2018
Archer cracks the ISIS mainframe's password
28

Vodafone hounds Czech customers for bills after they were brute-forced with Voda-issued PINs

Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes. Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying …
John Leyden, 07 Sep 2018
Shutterstock fly swatter by Teguh Mujiono

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Cisco has taken delivery of a bulk order for 29 Common Vulnerabilities and Exposures (CVEs) IDs. If you're running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won't be patched and there's no workaround – so it is probably time to replace them …
Dissident walking away from burning vehicle
37

It looks like tech-savvy drivers will have to lead connected car data purge

The privacy issues thrown up by connected cars don't seem to be going anywhere soon. Drivers of cars from BMW, Jaguar Land Rover and Mercedes-Benz have reported that previous owners retain unfettered access to the data and controls of connected cars after resale. The problem is international and extends to hire cars due to …
John Leyden, 07 Sep 2018
Graphs showing deviation
12

Could you hack your bosses without hesitation, repetition or deviation? AI says: No

Comment Businesses find themselves in a world where the threat to their networks often comes not simply from a compromise of their computers, servers, or infrastructure, but from legitimate, sanctioned users. There is nothing new about the notion of cyber-attackers seeing human beings as their biggest target. For years, real-world …
John E Dunn, 07 Sep 2018
hacker

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers. Security biz Eclypsium today said a weakness in the mechanism for updating a BMC's firmware could be abused by an attacker to install and run malicious code that would be extremely …
Shaun Nichols, 07 Sep 2018
Tesla model S
21

Bug bounty alert: Musk lets pro hackers torpedo Tesla firmware risk free

Tesla will allow vetted security researchers to hunt for vulnerabilities in its vehicle firmware risk free – as long as it is done under its now-tweaked bug bounty program. The luxury electric automaker said this week it will reflash the firmware on cars that have been bricked by infosec bods probing for exploitable bugs in …
Shaun Nichols, 06 Sep 2018
Kavanaugh
37

Wannabe Supreme Brett Kavanaugh red-faced after leaked emails contradict spy testimony

Analysis Despite repeated denials, some under oath, US Supreme Court nominee Brett Kavanaugh appears to have known – and may even have pushed for – the warrantless spying program that was approved by President George W Bush in the aftermath of the September 11, 2001 attacks. That is the upshot of a series of emails that were provided …
Kieren McCarthy, 06 Sep 2018
wanted
13

FBI fingers the Norks it wants to pinch for Sony hack, WannaCry attacks

The US government has formally accused the North Korean government of being behind the Sony Pictures hack, the WannaCry ransomware that crippled the UK's National Health Service and other organizations, and a series of online bank heists including $81m stolen from Bangladesh's national bank. The state-sponsored attacks were …
Kieren McCarthy, 06 Sep 2018
British Airways website
107

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers. The biz, which bills itself as the world's favorite airline, said its systems had been compromised for more than two weeks. "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the …
Thomas Claburn, 06 Sep 2018
tv television cable cableco entertainment netflix hbo
78

HTTPS crypto-shame: TV Licensing website pulled offline

The UK's TV Licensing agency has taken its website offline "as a precaution" after being blasted for running transactional pages that were not sent over HTTPS. The publicly funded outfit had been criticised for inviting folk to submit sensitive data over unencrypted links. Just a few hours after proclaiming "we will soon …
John Leyden, 06 Sep 2018
Shutterstock browser padlock
15

How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation. Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS …
man in headset in fake fatigues sits in front of monitor, speaks intently to unseen officer
63

Nope, the NSA isn't sitting in front of a supercomputer hooked up to a terrorist’s hard drive

Analysis Not since the days of the US Clipper chip in the early 1990s, have backdoors put there by government decree to bypass encryption been this fashionable with governments. Clipper – an encryption chipset with a US-government-accessible backdoor backed by the US National Security Agency (NSA) – foundered on the stubborn resistance …
John E Dunn, 06 Sep 2018
Sextortion graphic
57

NASA 'sextortionist' allegedly tricked women into revealing their password reset answers, stole their nude selfies

A former NASA contractor was arrested and charged on Wednesday for allegedly sextorting women. Richard Gregory Bauer, 28, was detained at his Los Angeles home by special agents from the space agency's internal watchdog. Bauer is accused of stalking, unauthorized access to protected computers, and aggravated identity theft, …
Thomas Claburn, 06 Sep 2018
Smashing windows
19

Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?

The Windows ALPC security hole that emerged early last week remains unpatched, even though it is being actively exploited by hackers to gain total control over PCs. As we reported at the end of August, a person behind the now-deleted Twitter account SandboxEscaper publicly revealed the system-level privilege escalation zero- …
FACEPALM
12

Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim's router password

Vid Beware using your web browser's autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password. The problem – found by SureCloud's Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration …
computer

Premera Blue Cross hacker victims claim insurer trashed server to hide data-slurp clues

Health-insurance biz Premera Blue Cross has been accused of deliberately knackering one of its computers to cover up details of a cyber-break-in. The organization denies any wrongdoing. The allegation was leveled last week against Premera, and is the latest twist in a long-running class-action lawsuit filed by the insurer's …
John Leyden, 06 Sep 2018
man points and laughs

Everything DM gets direct message slap: Marketing biz cops £60k ICO fine

A scurrilous marketing agency that fired 1.42 million emails at prospective customers was today saddled with a £60,000 fine by the UK’s data watchdog. The Information Commissioner’s Office said Stevenage-based Everything DM Ltd (EDML) pestered people for a year from May 2016 via its direct marketing system, Touchpoint. EDML, …
Paul Kunert, 05 Sep 2018
Pinky and the Brain
21

Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

A pair of cybercrooks who may have started out as legit infosec pros have expanded their operations outside Russia and begun attacking banks across the world. "Silence is an example of a mobile, small, and young group that has been progressing rapidly," Group-IB said, adding that the cybercrime group has shown signs of …
John Leyden, 05 Sep 2018
George Duke-Cohan. Pic: National Crime Agency
39

Brit teen pleads guilty to Minecraft-linked bomb and airline hoaxes

A British teenager has pleaded guilty in court to making hoax bomb threats to schools and airports while posing online as part of a hacker crew, a police agency has alleged. George Duke-Cohan, a 19-year-old from Garston near Watford in Hertfordshire, England, pleaded guilty at Luton Magistrates’ Court yesterday to three counts …
Gareth Corfield, 05 Sep 2018
phishing
12

Cybercrooks home in on infosec's weakest link – you poor gullible people

Cybercrims are ramping up their efforts to target employees through fraudulent email and social media scams, according to a new study by email security firm Proofpoint. Retailers and government agencies saw huge quarter-on-quarter increases in email fraud attempts in calendar Q2, with attacks per company and agency soaring 91 …
John Leyden, 05 Sep 2018
A businessman in handcuffs

Uncle Sam wants tech toolkit to snoop social media stock scammers

The US Securities and Exchange Commission (SEC) has put out a call for proposals on a new system that would be able to identify possible stock scams posted on Twitter, Facebook, and other social networks. The SEC posted the call last week with a September 11 deadline for proposals from developers on an application that would …
Shaun Nichols, 05 Sep 2018

Biting the hand that feeds IT © 1998–2018