Security > More stories

UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles

Equifax may soon face the wrath of UK politicians after the chairman of the country's House of Commons Treasury Committee demanded answers from the firm over its handling of its recent data breach. Nicky Morgan MP has written to the chief executive of Equifax Limited asking for further details about the scale of the breach, …
John Leyden, 12 Oct 2017
Shutterstock door knocker

Swiss banking software has Swiss cheese security, says Rapid7

Rapid7 has gone public with news of an e-commerce SQL injection vulnerability, saying it couldn't raise a response from the vendor. The software in question, SmartVista, is an e-commerce and financial product from BPC Banking, and in this post, Rapid7 says it told the company about the issue back in May 2017. The US CERT …

Dear America, best not share that password with your pals. Lots of love, the US Supremes

A California bloke fighting a computer hacking conviction has lost his final appeal after the US Supreme Court declined to hear his case. The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain. In 2004, David Nosal was a high-level …
Iain Thomson, 11 Oct 2017
Outlook

Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached. You read that right: if you can intercept a network connection transferring an encrypted email, …
Iain Thomson, 11 Oct 2017
Police search

Judge says US govt has 'no right to rummage' through anti-Trump protest website logs

A Washington DC judge has told the US Department of Justice (DoJ) it "does not have the right to rummage" through the files of an anti-Trump protest website – and has ordered the dot-org site's hosting company to protect the identities of its users. Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a …
Kieren McCarthy, 11 Oct 2017

North Korean hackers allegedly probing US utilities for weaknesses

Hackers believed to be from North Korea are casing out US electric companies in preparation for a possible cyber attack – so says security firm FireEye. "FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to US electric companies by known cyber threat actors likely affiliated with the North …
John Leyden, 11 Oct 2017

When Irish data's leaking: Supermarket shoppers urged to check bank statements

Shoppers at SuperValu, Centra and Mace have been told to review their bank statements following a cyber attack against Irish retailer Musgrave. Musgrave, which owns all three stores, urged customers to take the precaution amid fears that hackers may have extracted credit card and debit card numbers and expiry dates from its …
John Leyden, 11 Oct 2017
FACEPALM

'There has never been a right to absolute privacy' – US Deputy AG slams 'warrant-proof' crypto

Continuing the US government's menacing of strong end-to-end encryption, Deputy Attorney General Rod Rosenstein told an audience at the US Naval Academy that encryption isn't protected by the American Constitution. In short, software writers and other nerds: the math behind modern cryptography is trumped by the Fourth …
Pop art style illustration of man exclaiming "WHAT?" in shock/horror/bemusement. Illustration via Shutterstock

'Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits'

Updated The brouhaha over Russian spies using Kaspersky antivirus to steal NSA exploits from a staffer's home PC took an explosive turn on Tuesday. Essentially, it is now claimed Israeli spies hacked into Kaspersky's backend systems only to find Russian snoops secretly and silently using the software as a global search engine. Kremlin …
wire

Hackers nick $60m from Taiwanese bank in tailored SWIFT attack

Updated Hackers managed to pinch $60m from the Far Eastern International Bank in Taiwan by infiltrating its computers last week. Now, most of the money has been recovered, and two arrests have been made in connection with the cyber-heist. On Friday, the bank admitted the cyber-crooks planted malware on its PCs and servers in order to …
Iain Thomson, 11 Oct 2017
A man reading a bad document

It's 2017... And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too

Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October's Patch Tuesday altogether. Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to …
Shaun Nichols, 10 Oct 2017
laugh

Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLION

Updated Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million. In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement …
Iain Thomson, 10 Oct 2017
screenshot from Felix Krause's blog

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

Apple, we have a problem. A bug report filed Monday through Open Radar – which mirrors bug reports developers submit to Apple's private bug tracking system – suggests that password prompts in iOS apps can be misused to steal passwords and other secrets. In a blog post today describing the issue, developer Felix Krause, founder …
Thomas Claburn, 10 Oct 2017

Hackers in Arab world collaborate more than hoodie-clad Westerners

Cybercriminals in the Arab states are some of the most cooperative in the world, according to Trend Micro this week. The infosec biz's latest study, Digital Souks: A glimpse into the Middle Eastern and North African underground, identifies the most popular kinds of hacking tools and commodities, and the most active countries …
John Leyden, 10 Oct 2017
bank robbery

Overdraft-fiddling hackers cost banks in Eastern Europe $100m

Hybrid cyber attacks on banks in former Soviet states has already resulted in estimated losses of $100m. Security researchers at Trustwave report today that cybercriminals are using mules to open accounts with counterfeit documents while hackers compromise the bank's systems to obtain unauthorised privileged access and break …
John Leyden, 10 Oct 2017
MANCHESTER, UK - Cristiano Ronaldo reacts prior to the UEFA Champions League semi-final game between Manchester City and Real Madrid

Real Mad-quid: Murky cryptojacking menace that smacked Ronaldo site grows

Cryptojacking is well on its way to becoming a new menace to internet hygiene. On some sites, internet publishers are making money by using the spare processor cycles of visiting surfers to mine cryptocurrency, using scripts running in the background on pages to mine coins. In other cases, hackers have planted JavaScript on …
John Leyden, 10 Oct 2017
Location pin with warning

Leaky-by-design location services show outsourced security won't ever work

We’re leaking location data everywhere, and it's time to fix it by design. An example: if you go on safari in Africa, you'll be asked to turn off your smartphone's location tracking capabilities. The reason is that most people have no idea that every photo they take with their phone embeds location data in the exchangeable …
Mark Pesce, 10 Oct 2017

Smut-watchers suckered by evil advertising

Security bods have closed off a malvertising campaign targeting an ad network spread through an ad network that targeted smut site P0rnHub. The attacks exposed “millions of potential victims in the US, Canada, the UK, and Australia”, said the Proofpoint researchers who discovered the attack. Proofpoint said the campaign was …

Fending off cyber attacks as important as combatting terrorism, says new GCHQ chief

Keeping the UK safe from cyber attacks is now as important as fighting terrorism, the new GCHQ boss has said. Jeremy Fleming, director of the signals intelligence service, said increased funding for GCHQ was being spent on making it a "cyber-organisation" as much as an intelligence and counter-terrorism unit. Fleming, who …
John Leyden, 09 Oct 2017
The Typhoon in Battle of Britain colours

1,000 jobs on the line at BAE Systems' Lancashire plants – reports

BAE Systems, maker of military machinery, is to slash more than 1,000 jobs, according to reports, with most roles affected at its Warton plant in Lancashire, England – the main factory that builds the Eurofighter Typhoon. While nominally a multinational aircraft, the Typhoon is effectively a BAE design from top to bottom and …
Gareth Corfield, 09 Oct 2017

Video games used to be an escape. Now not even they are safe from ads

VB2017 Poor disclosure and intrusive advertising are becoming a bête noire for gamers who increasingly find themselves getting fragged by promos. Adverts in gaming or advergaming systems are becoming more complex as marketeers resort to techniques that embed advertising deep enough so that earlier ad-blocking attempts no longer work …
John Leyden, 09 Oct 2017
Handcuffs

VPN logs helped unmask alleged 'net stalker, say feds

Virtual private network provider PureVPN helped the FBI track down a suspected internet stalker, by combing its logs to reveal his IP address. The US Department of Justice announced on Friday the arrest of Ryan Lin, a 24-year-old from Newtown, Massachusetts, on charges that he cyber-stalked a former roommate. According to the …

After selling his site for millions, founder hacked it for a second payday

"Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kent's plan to build the membership of his oil and gas industry networking site Oilpro.com. Court documents indicate that Kent, 41, of Spring, Texas, USA, had a buyer in mind: DHI Group, the employment data biz that in 2010, when …
Thomas Claburn, 07 Oct 2017

It's 4PM on Friday, almost time to log off and, oh look, Disqus says it's been hacked

Disqus, the developer of website comment systems used worldwide, is playing the old "bury bad news late on a Friday" card – as it just confessed one of its databases was swiped by hackers. The software maker, which produces reader comment boards for blogs and newspapers everywhere, admitted at 4pm Pacific Time, Friday, that a …
Shaun Nichols, 06 Oct 2017

Microsoft silently fixes security holes in Windows 10 – dumps Win 7, 8 out in the cold

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack. Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the …
Shaun Nichols, 06 Oct 2017

FBI iPhone hack lost forever, White House mobe compromised, SSH – and plenty more

Roundup Another week draws to a close so it's time to review the security news you may have missed in between the big hitters: the NSA contractor who leaked more exploits, Apple's encryption password blunder, and so on. This week we've seen bugs, hacking, and government silliness – take a look... Computerinsel PhotoLine full of bugs …
Iain Thomson, 06 Oct 2017
Bitcoin

Russia, America dig into tug-of-war over Bitcoin laundering suspect

Russia doesn't want America taking one of its nationals accused of running a $4bn Bitcoin laundering ring – Moscow wants him more. The Russian foreign ministry said in a statement on Friday that a Greek court's decision to extradite Alexander Vinnik to the US is "unjust and a violation of international law". The 38-year-old …
Andrew Silver, 06 Oct 2017
PHP, image via Shutterstock

Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

VB2017 Avast staffers spoke at the Virus Bulletin International Conference in Madrid, Spain, on Thursday to shed more light on their postmortem of the CCleaner fiasco – and urge developers to protect their software's toolchain and distribution systems from hackers. The widely used utility, which removes unwanted temporary files and …
John Leyden, 06 Oct 2017
data leakage

Another W3C API exposing users to browser snitching

Yet another W3C API can be turned against the user, privacy boffin Lukasz Olejnik has warned – this time, it's in how browsers store and check credit card data. As is so often the case, a feature created for convenience can be abused in implementation. To save users from the tedious task of entering the 16 characters of their …

How bad can the new spying legislation be? Exhibit 1: it's called the USA Liberty Act

Analysis The US Senate Judiciary Committee has unveiled its answer to a controversial spying program run by the NSA and used by the FBI to fish for crime leads. Unsurprisingly, the proposed legislation [PDF] reauthorizes Section 702 of the Foreign Intelligence Surveillance Act (FISA) – which allows American snoops to scour …
Kieren McCarthy, 05 Oct 2017

Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim

Russian government spies used Kaspersky Lab software to extract top-secret software exploits from an NSA staffer's home PC, anonymous sources have claimed. The clumsy snoop broke regulations by taking the classified code, documentation, and other materials home to work on using his personal computer, which was running …
Iain Thomson, 05 Oct 2017

Dumb bug of the week: Apple's macOS reveals your encrypted drive's password in the hint box

Video Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software. Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, …
Thomas Claburn, 05 Oct 2017
spies_648

Spy vs spy vs hacker vs... who is THAT? Everyone's hacking each other

VB2017 Intel agencies and top-tier hackers are actively hacking other hackers in order to steal victim data, borrow tools and techniques, and reuse each other's infrastructure, attendees at Virus Bulletin Con, Madrid, were told yesterday. The increasing amount of spy-vs-spy type activity is making accurate threat intel increasingly …
John Leyden, 05 Oct 2017

UK cybercops reacted to 590 'significant attacks' over past year – report

The National Cyber Security Centre responded to 590 "significant attacks" over the last year including WannaCry, MPs' email addresses being targeted due to weak passwords and various threats to other large organisations. The body was created in October last year, bringing together previously separate parts of government, MI5 …
Kat Hall, 05 Oct 2017

Bulletproof hosts stay online by operating out of disputed backwaters

VB2017 Some bulletproof hosting (BPH) operations – wellspring of all manner of online villainy – are moving their operations to the disputed territories of eastern Ukraine and Transnistria on the Moldovan border. BPH is often sold through darknet bazaars. These services sit at the centre of long-lasting, large-scale and profitable …
John Leyden, 05 Oct 2017
YouTube India logo - not official

India's national internet registry breached, but says heist was trivial

Indian antivirus and endpoint vendor Seqrite claims the nation's internet registry has suffered a data breach, but the registry's parent organisation says while it was attacked the information obtained was trivial. Seqrite says its researchers noticed “an advertisement on DarkNet announcing secret access to the servers and …
Simon Sharwood, 05 Oct 2017

Biting the hand that feeds IT © 1998–2017