Security > More stories

Virtual money enters man's online wallet
13

Silicon Valley CEO admits $1.5m wire fraud: Bouxtie boss forged signatures to investors

Bouxtie had everything you can dream of in a Silicon Valley startup. A stupid name (it's pronounced "bow-tie"), a vastly over-confident CEO with a story, millions in VC money, and a nonsensical business model built around an app. And yet this week its chief exec Renato Libric pleaded guilty, in a US federal district court, to …
Kieren McCarthy, 07 Sep 2018
THAT sand penis on BA.com. Just to the left of the L in 'Last minute deals'
61

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Exclusive Just weeks before being hacked in late August, British Airways' parent IAG was planning to outsource its cybersecurity to IBM, admitting it needed a "group-wide strategic and proactive approach" to counter threats. The memo in full Subject: Group IT Cyber Security Update From: John Hamilton Sent: 01 August 2018 13:56 All …
John Leyden, 07 Sep 2018
38

Feel the shame: Email-scammed staffers aren't telling bosses about it

The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed. Stats from the bank showed the average loss from so-called "business email compromise" (BEC) frauds has reached £27,000. IT workers are …
John E Dunn, 07 Sep 2018
Archer cracks the ISIS mainframe's password
28

Vodafone hounds Czech customers for bills after they were brute-forced with Voda-issued PINs

Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes. Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying …
John Leyden, 07 Sep 2018
Shutterstock fly swatter by Teguh Mujiono

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Cisco has taken delivery of a bulk order for 29 Common Vulnerabilities and Exposures (CVEs) IDs. If you're running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won't be patched and there's no workaround – so it is probably time to replace them …
Dissident walking away from burning vehicle
37

It looks like tech-savvy drivers will have to lead connected car data purge

The privacy issues thrown up by connected cars don't seem to be going anywhere soon. Drivers of cars from BMW, Jaguar Land Rover and Mercedes-Benz have reported that previous owners retain unfettered access to the data and controls of connected cars after resale. The problem is international and extends to hire cars due to …
John Leyden, 07 Sep 2018
Graphs showing deviation
12

Could you hack your bosses without hesitation, repetition or deviation? AI says: No

Comment Businesses find themselves in a world where the threat to their networks often comes not simply from a compromise of their computers, servers, or infrastructure, but from legitimate, sanctioned users. There is nothing new about the notion of cyber-attackers seeing human beings as their biggest target. For years, real-world …
John E Dunn, 07 Sep 2018
hacker

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers. Security biz Eclypsium today said a weakness in the mechanism for updating a BMC's firmware could be abused by an attacker to install and run malicious code that would be extremely …
Shaun Nichols, 07 Sep 2018
Tesla model S
21

Bug bounty alert: Musk lets pro hackers torpedo Tesla firmware risk free

Tesla will allow vetted security researchers to hunt for vulnerabilities in its vehicle firmware risk free – as long as it is done under its now-tweaked bug bounty program. The luxury electric automaker said this week it will reflash the firmware on cars that have been bricked by infosec bods probing for exploitable bugs in …
Shaun Nichols, 06 Sep 2018
Kavanaugh
37

Wannabe Supreme Brett Kavanaugh red-faced after leaked emails contradict spy testimony

Analysis Despite repeated denials, some under oath, US Supreme Court nominee Brett Kavanaugh appears to have known – and may even have pushed for – the warrantless spying program that was approved by President George W Bush in the aftermath of the September 11, 2001 attacks. That is the upshot of a series of emails that were provided …
Kieren McCarthy, 06 Sep 2018
wanted
13

FBI fingers the Norks it wants to pinch for Sony hack, WannaCry attacks

The US government has formally accused the North Korean government of being behind the Sony Pictures hack, the WannaCry ransomware that crippled the UK's National Health Service and other organizations, and a series of online bank heists including $81m stolen from Bangladesh's national bank. The state-sponsored attacks were …
Kieren McCarthy, 06 Sep 2018
British Airways website
107

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers. The biz, which bills itself as the world's favorite airline, said its systems had been compromised for more than two weeks. "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the …
Thomas Claburn, 06 Sep 2018
tv television cable cableco entertainment netflix hbo
78

HTTPS crypto-shame: TV Licensing website pulled offline

The UK's TV Licensing agency has taken its website offline "as a precaution" after being blasted for running transactional pages that were not sent over HTTPS. The publicly funded outfit had been criticised for inviting folk to submit sensitive data over unencrypted links. Just a few hours after proclaiming "we will soon …
John Leyden, 06 Sep 2018
Shutterstock browser padlock
15

How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation. Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS …
man in headset in fake fatigues sits in front of monitor, speaks intently to unseen officer
63

Nope, the NSA isn't sitting in front of a supercomputer hooked up to a terrorist’s hard drive

Analysis Not since the days of the US Clipper chip in the early 1990s, have backdoors put there by government decree to bypass encryption been this fashionable with governments. Clipper – an encryption chipset with a US-government-accessible backdoor backed by the US National Security Agency (NSA) – foundered on the stubborn resistance …
John E Dunn, 06 Sep 2018
Sextortion graphic
57

NASA 'sextortionist' allegedly tricked women into revealing their password reset answers, stole their nude selfies

A former NASA contractor was arrested and charged on Wednesday for allegedly sextorting women. Richard Gregory Bauer, 28, was detained at his Los Angeles home by special agents from the space agency's internal watchdog. Bauer is accused of stalking, unauthorized access to protected computers, and aggravated identity theft, …
Thomas Claburn, 06 Sep 2018
Smashing windows
19

Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?

The Windows ALPC security hole that emerged early last week remains unpatched, even though it is being actively exploited by hackers to gain total control over PCs. As we reported at the end of August, a person behind the now-deleted Twitter account SandboxEscaper publicly revealed the system-level privilege escalation zero- …
FACEPALM
12

Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim's router password

Vid Beware using your web browser's autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password. The problem – found by SureCloud's Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration …
computer

Premera Blue Cross hacker victims claim insurer trashed server to hide data-slurp clues

Health-insurance biz Premera Blue Cross has been accused of deliberately knackering one of its computers to cover up details of a cyber-break-in. The organization denies any wrongdoing. The allegation was leveled last week against Premera, and is the latest twist in a long-running class-action lawsuit filed by the insurer's …
John Leyden, 06 Sep 2018
man points and laughs

Everything DM gets direct message slap: Marketing biz cops £60k ICO fine

A scurrilous marketing agency that fired 1.42 million emails at prospective customers was today saddled with a £60,000 fine by the UK’s data watchdog. The Information Commissioner’s Office said Stevenage-based Everything DM Ltd (EDML) pestered people for a year from May 2016 via its direct marketing system, Touchpoint. EDML, …
Paul Kunert, 05 Sep 2018
Pinky and the Brain
21

Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

A pair of cybercrooks who may have started out as legit infosec pros have expanded their operations outside Russia and begun attacking banks across the world. "Silence is an example of a mobile, small, and young group that has been progressing rapidly," Group-IB said, adding that the cybercrime group has shown signs of …
John Leyden, 05 Sep 2018
George Duke-Cohan. Pic: National Crime Agency
39

Brit teen pleads guilty to Minecraft-linked bomb and airline hoaxes

A British teenager has pleaded guilty in court to making hoax bomb threats to schools and airports while posing online as part of a hacker crew, a police agency has alleged. George Duke-Cohan, a 19-year-old from Garston near Watford in Hertfordshire, England, pleaded guilty at Luton Magistrates’ Court yesterday to three counts …
Gareth Corfield, 05 Sep 2018
phishing
12

Cybercrooks home in on infosec's weakest link – you poor gullible people

Cybercrims are ramping up their efforts to target employees through fraudulent email and social media scams, according to a new study by email security firm Proofpoint. Retailers and government agencies saw huge quarter-on-quarter increases in email fraud attempts in calendar Q2, with attacks per company and agency soaring 91 …
John Leyden, 05 Sep 2018
A businessman in handcuffs

Uncle Sam wants tech toolkit to snoop social media stock scammers

The US Securities and Exchange Commission (SEC) has put out a call for proposals on a new system that would be able to identify possible stock scams posted on Twitter, Facebook, and other social networks. The SEC posted the call last week with a September 11 deadline for proposals from developers on an application that would …
Shaun Nichols, 05 Sep 2018
17

Mikrotik routers pwned en masse, send network data to mysterious box

More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server. This is according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data …
Shaun Nichols, 04 Sep 2018
Flag of India

India's ISPs show they have good MANRS, sign up to Internet Society's routing security scheme

India's ISPs have agreed as a bloc to join The Internet Society's MANRS route integrity programme. MANRS stands for Mutually Agreed Norms for Routing Security, and was launched in 2014 to try and solve some of the Border Gateway Protocol's most pressing problems. In essence, the programme asks its members to play their part in …
Oh my god!
14

Cock-ups, rather than conspiracies, top self-reported data breaches

Data breaches at organisations that 'fess up to the UK's data protection watchdog are about seven times more likely to be caused by human error than hackers. According to data released under the Freedom of Information Act, 2,124 incidents reported by organisations in 2017-18 could be pinned on mistakes or incompetence. Only …
Rebecca Hill, 04 Sep 2018
printer
20

Thousands of misconfigured 3D printers on interwebz run risk of sabotage

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned. Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to …
John Leyden, 04 Sep 2018
Child in shock in front of computer. Photo by Shutterstock
52

Excuse me, but your website's source code appears to be showing

An internet-wide scan on 230 million domains found 390,000 exposed source code directories. The results, obtained by security researcher Vladimír Smitka, are a problem because access to the .git folder within the file versions repository contains a lot of information about the website's structure or worse. "Sometimes you can …
John Leyden, 04 Sep 2018
scam
19

Google cracks down on dodgy tech support ads

Google has placed restrictions on tech support ads after admitting it's increasingly hard to tell promos for legit services from deceptions. Tech support scams come via either cold calls to unsuspecting users or bogus web pages showing made-up, fake alert messages usually about dummy virus infections. Cold-callers posing as …
John Leyden, 03 Sep 2018
Congress
20

Congress wants CVE stability, China wants your LinkedIn details, and Adobe wants you to patch Creative Cloud

Another week has come and gone. This one included some Fortnite flaws, a nasty Intel bug, and a voting machine maker whining about hacking contests. Here’s a bit more of the recent news in security: Exciting new LinkedIn use case: Chinese spying Be careful the next time you get an invite to connect on LinkedIn: you might be …
Shaun Nichols, 01 Sep 2018
Bank vault door
36

Boffins are building an open-source secure enclave on RISC-V

At some point this fall, a team of researchers from MIT's CSAIL and UC Berkeley's EECS aim to deliver an initial version of an open source, formally verified, secure hardware enclave based on RISC-V architecture called Keystone. "From a security community perspective, having trustworthy secure enclaves is really important for …
Thomas Claburn, 31 Aug 2018
12

DraftKings rides to court, asks to unmask 10 DDoS suspects

A US sports gaming company is asking permission to unmask 10 people it believes were behind a massive DDoS attack on its website earlier this month. DraftKings, based out of Boston, MA, has filed [PDF] with the Massachusetts US District Court for authorization to force ISPs around the US to turn over the identities linked to …
Shaun Nichols, 31 Aug 2018
A man with no money in his wallet
19

C'mon, if you say your device is 'unhackable', you're just asking for it: Bitfi retracts edgy claim

Bitfi finally and reluctantly retracted its unhackable claim last night in the face of a new cold boot attack. The John McAfee-backed hardware crypto-wallet firm got under the skins of security researchers by marketing its device as "unhackable" when it launched in July. The $120 Wi-Fi-enabled Bitfi wallet is a hardware …
John Leyden, 31 Aug 2018
Angry man bites a smartphone
182

Spies still super upset they can't get at your encrypted comms data

The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don't. The UK, US, Canada, Australia and New Zealand - which have a long-standing intelligence agreement – met in Australia this week. In …
Rebecca Hill, 31 Aug 2018
Jennifer Lawrence at a movie opening.
58

Fourth 'Fappening' celeb nude snap thief treated to 8 months in the clink

The last of the four hackers collared for stealing and leaking people's private nude photos from their online accounts back in 2014 has been sentenced to eight months' imprisonment. George Garofano, 26, of North Branford, Connecticut, was also sentenced to three years' supervision post-release as punishment for his role in " …
John Leyden, 31 Aug 2018

Biting the hand that feeds IT © 1998–2018