The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world’s largest ever computer security breaches. Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including billions of Read more about Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup![…]
Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests. Read more about Cops Around the Country Can Now Unlock iPhones, Records Show[…]
If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates Read more about Data exfiltrators send info over PCs’ power supply cables[…]
Under Armour Inc., joining a growing list of corporate victims of hacker attacks, said about 150 million user accounts tied to its MyFitnessPal nutrition-tracking app were breached earlier this year. An unauthorized party stole data from the accounts in late February, Under Armour said on Thursday. It became aware of the breach earlier this week Read more about Under Armour Data Breach: 150 Million MyFitnessPal Accounts Hacked[…]
Hackers have moved away from simple point-of-sale (POS) terminal attacks to more refined assaults on corporations’ head offices. An annual report from security firm Trustwave out today highlighted increased sophistication of web app hacking and social engineering tactics on the part of miscreants. Half of the incidents investigated involved corporate and internal networks (up from Read more about Trustwave Global IT Security Report Summarised[…]
A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria’s Twitter account confirmed that this was the case, but that there was no need to worry because “our security is amazingly good.” Hello Claudia! The customer Read more about T-Mobile Austria stores passwords as plain text[…]
Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage. Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Read more about NUC, NUC! Who’s there? Intel, warning you to kill a buggy keyboard app[…]
It seems as if last year’s data breaches were characterized by increased regularity, yet somehow, according to the latest research from IBM Security, fewer records were actually exposed. The year saw a 25 percent dip in exposed records—2.5 billion down from 4 billion the previous year—according to IBM’s latest X-Force report. The cause: Cybercriminals have Read more about Rise in Ransomware Attacks Actually Led to Fewer Exposed Records, IBM Discovers[…]
Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force. During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), Read more about 1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak[…]
An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air. The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state Read more about Hacker Uses Exploit to Generate Verge Cryptocurrency out of Thin Abir[…]
The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates Read more about Secret Service Warns of Chip Card Scheme: replacing the chip and then draining after activation[…]
The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register. We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection Read more about DronesForLess leaks customer purchasing data[…]
So: Oddly enough, if you make a QR code that tells you to go somewhere, the camera will take you to where the QR code tells you to go, even if you tell someone that the QR code goes someplace else. This trend of ‘reporting’ security problems that are not security problems at all is Read more about IOS QR ‘bug’ isn’t a bug: trend in pointing out things working as intended as a security advisory continues[…]
Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password. The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling. Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker Read more about Cisco NFV elastic services controller accepts empty admin password[…]
A paper released on arXiv last week by a team of researchers from the University of California, Berkeley, National University of Singapore, and Google Brain reveals just how vulnerable deep learning is to information leakage. The researchers labelled the problem “unintended memorization” and explained it happens if miscreants can access to the model’s code and Read more about AI models leak secret data too easily[…]
Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file. According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information Read more about Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users[…]
On Tuesday, a little known security company claimed to have found vulnerabilities and backdoors in some AMD processors. Within some parts of the security community, the story behind the researchers’ discovery quickly became more interesting than the discovery itself. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing Read more about Can AMD Vulnerabilities Be Used to Game the Stock Market?[…]
More than 1,000 security employees in as many as 17 countries participated in the survey. Most said the biggest hurdle to mounting an adequate defense against cyber threats today is the lack of skilled personnel. (Poor security awareness and an inability to sift through enormous piles of data tied for second place.) The survey, which Read more about Major Survey of IT Pros Reveals Why Everything Gets Hacked All the Damn Time, paying for ransomware is like flipping a coin[…]
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users’ passwords, including administrative users and privileged service accounts (eg Domain Controllers). The LDAP server incorrectly validates certain LDAP password modifications against the Read more about Samba allows anyone to change everyone’s password[…]
The hardcoded password issue affects Cisco’s Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Read more about Hardcoded Password Found in Cisco Software[…]
Tal Be’ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer’s browser and go to a web address that Read more about Researchers Bypassed Windows Password Locks With Cortana Voice Commands[…]
When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian Read more about Leaked Files Show How the NSA Tracks Other Countries’ Hackers[…]
Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research. Baby monitors serve an important purpose in securing and monitoring our loved Read more about Internet of Babies – 52000 baby monitors open for public viewing[…]
IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via Read more about IBM Finds Fortune 500 Companies will lose $9 billion to phishing scams in 2018 – this is what these attacks look like[…]
Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software. If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site Read more about uTorrent file-swappers urged to upgrade after PC hijack flaws sort of fixed[…]