Equifax's world-beating breach of 143 million Americans' sensitive personal and financial information was the result of the company's failure to patch a two-month-old bug in Apache Struts, despite multiple reports of the bug being exploited in the wild.

This credit-card skimmer was removed from a New York gas pump; it uses components scavenged from a cellular phone and a T-Mobile SIM to send the credit card details it harvests to its owners, who can retrieve them from anywhere in the world.

In a post to the venerable NANOG list (mirrored since to Dave Farber's Interesting People list), anti-spam researcher Ronald F. Guilmette posts the results of his investigation into the IP addresses claimed by a mysterious company called host-offshore.com — IP addresses assigned to "various parties within the nation of Columbia (including the National University thereof)" but, strangely, routed through Bulgaria.

Looking for an appetite suppressant? The U.S. Food & Drug Administration can help. Just stop by FDA's Defect Levels Handbook to learn how many insect legs and rodent hairs are acceptable in various foods sold to the American public.

Philadelphia is a crimeware-as-a-service business that sells a highly customizable ransomware package for budding entrepreneurs who want to dabble in crime.

The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, it went on to infect devices all over the world, gaining virulence as it hybridized with other Internet of Things worms, endangering entire countries, growing by leaps and bounds, helped along by negligent engineering practices at major companies like Sony.

The unprecedented denial-of-service attacks powered by the Mirai Internet of Things worm have harnessed crappy, no-name CCTVs, PVRs, and routers to launch unstoppable floods of internet noise, but it's not just faceless Chinese businesses that crank out containerloads of vulnerable, defective-by-design gear — it's also name brands like Sony.

Last week, the San Francisco Municipal Light Rail system (the Muni) had to stop charging passengers to ride because a ransomware hacker had taken over its network and encrypted the drives of all of its servers.

The Mirai worm — first seen attacking security journalist Brian Krebs with 620gbps floods, then taking down Level 3, Dyn and other hardened, well-provisioned internet giants, then spreading to every developed nation on Earth (and being used to take down some of those less-developed nations) despite being revealed as clumsy and amateurish (a situation remedied shortly after by hybridizing it with another IoT worm) — is now bigger than ever, and you can rent time on it to punish journalists, knock countries offline, or take down chunks of the core internet.

The various Mirai botnets, which use "clumsy, amateurish code to take over even more clumsy and amateurish CCTVs, routers, PVRs and other Internet of Things devices, have been responsible for some eye-popping attacks this season: first there was the 620Gbps attack on journalist Brian Krebs (in retaliation for his coverage of a couple of petty Israeli crooks); then there was the infrastructure attack that took out Level 3, Netflix, Twitter, Dyn, and many more of the internet's best-defended services.

A China-based maker of surveillance cameras said Monday it will recall some products sold in the United States after a massive "Internet of Things" malware attack took down a major DNS provider in a massive DDOS attack. The stunningly broad attack brought much internet activity to a halt last Friday. — Read the rest

Some of the internet's most popular, well-defended services — including Twitter — were knocked offline yesterday by a massive denial-of-service attack that security experts are blaming on botnets made from thousands of hacked embedded systems in Internet of Things devices like home security cameras and video recorders.

The California DMV has rejected Opendns founder David Ulevitch's application for an "1NFOS3C" vanity license plate because it includes "a term of lust or depravity."

Mirai, the clumsily written Internet of Things virus that harnessed so many devices in an attack on journalist Brian Krebs that it overloaded Akamai, has now spread to devices in either 164 or 177 countries — that is, pretty much everywhere with reliable electricity and internet access. — Read the rest

Following the release of the sourcecode for the Mirai botnet, which was used to harness DVRs, surveillance cameras and other Internet of Things things into one of the most powerful denial-of-service attacks the internet has ever seen, analysts have gone over its sourcecode and found that the devastatingly effective malware was strictly amateur-hour, a stark commentary on the even worse security in the millions and millions of IoT devices we've welcomed into our homes.

Only three days after EFF's open letter to HP over the company's deployment of a stealth "security update" that caused its printers to reject third-party cartridges, the company issued an apology promising to let customers optionally install another update to unbreak their printers.

On the eve of the Stuxnet attacks, half a decade ago, I found myself discussing what it all meant with William Gibson (I'd just interviewed him on stage in London), and I said, "I think the most significant thing about any of these sophisticated, government-backed attacks is that they will eventually turn into a cheap and easy weapon that technically unskilled people can deploy for petty grievances." — Read the rest

NCR reports in-the-wild sightings of "deep skimmers" (tiny, disposable card-skimmers that run on watch batteries and use crude radios to transmit to a nearby base-station) on ATMs around the world: "Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States."

A month after a hospital in Hollywood was shut down by a ransomware infection that encrypted all the files on its computers and computer-controlled instruments and systems, another hospital, this one in Kentucky, has suffered a similar fate.

Seagate has emailed its employees and ex-employees to warn them that someone in the company sent their W2 tax data to a criminal who pulled off a successful phishing fraud.