Medical implants and hospital systems are still infosec dumpster-fires

Medical devices have long been the locus of information security's scariest failures: from the testing and life-support equipment in hospitals to the implants that go in your body: these systems are often designed to harvest titanic amounts of data about you, data you're not allowed to see that's processed by code you're not allowed to audit, with potential felony prosecutions for security researchers who report defects in these systems (only partially mitigated by a limited exemption that expires next year). What's more, it can get much worse. Read the rest

Most Chipotle restaurants were hacked by credit-card stealing malware

Did you think you got away clean when you ate at Chipotle without dying of listeria? Not so fast! Read the rest

UK Tories say they'll exploit Manchester's dead to ban working crypto in the UK

One of UK Prime Minister Theresa May's government ministers told a reporter from The Sun that the government is planning on invoking the "Technical Capabilities Orders" section of the Snoopers Charter, a 2016 domestic spying bill; the "orders" allow the government to demand that companies cease using working cryptography in their products and services, substituting it with deliberately defective code that can be broken. Read the rest

1Password's new travel mode locks you out of your accounts while you're travelling and crossing borders

1Password has taken Maciej Cegłowski's demand for a "travel mode" for our technology to heart, introducing a new feature that locks you out of your own accounts when you're in situations where you might lose control of your devices or be compelled to log into your accounts without your consent.

Read the rest

An IoT botnet is trying to nuke Wcry's killswitch

Whoever created the Wcry ransomware worm -- which uses a leaked NSA cyberweapon to spread like wildfire -- included a killswitch: newly infected systems check to see if a non-existent domain is active, and if it is, they fall dormant, ceasing their relentless propagation. Read the rest

The abysmal information security at Trump properties has probably already compromised US secrets

Propublica and Gizmodo sent a penetration-testing team to Mar-a-Lago, the Trump resort that has been at the center of series of controversial potential breaches of US military secrecy (for example, loudly discussing sensitive information about the North Korean missile launch in the club's full, public dining room); they discovered that it would be child's play to hack the Mar-a-Lago networks, and that indeed, the networks have almost certainly already been hacked. Read the rest

Yesterday's report of hardier Wcry retracted, but new versions found

Yesterday's report of a Wcry ransomware version that didn't have the killswitch that halted the worm's spread was retracted by Motherboard and Kaspersky Lab -- but today, France's Benkow computing document a new Wcry strain that has a different killswitch -- one that has already been registered, stopping the new strain. Read the rest

Retracted! Wcry ransomware is reborn without its killswitch, starts spreading anew

Motherboard has retracted this story: "Correction: This piece was based on the premise that a new piece of WannaCry ransomware spread in the same manner as the one that was responsible for widespread attacks on Friday, and that it did not contain a so-called kill switch. However, after the publication of this article one of the researchers making this claim, Costin Raiu, director of global research and analysis team at Kaspersky Lab, realized that was not the case. The ransomware samples without the kill switch did not proflierate in the same manner, and so did not pose the same threat to the public. Motherboard regrets the error."

Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them. Read the rest

Anti-DRM artists march on the World Wide Web Consortium today

Today, activists will gather in Cambridge, Mass to march to the offices of W3C Director Tim Berners-Lee to urge him to keep DRM out of the standards for the open web. Read the rest

The virulent ransomware worm has been stopped (for now) by a hidden killswitch

As the Wcry ransomware burned across the globe yesterday, spreading to more than 80 countries thanks to a bug in Windows that the NSA deliberately kept secret in order to weaponize it, it seemed unstoppable. Read the rest

Ransomware hackers have stolen hospitals and doctors' offices across the UK, using a leaked NSA cyberweapon

25 NHS trusts and multiple doctors' practices in England and Scotland (but so far, not Northern Ireland or Wales) report that they have had to effectively shut down due to a massive Wcry ransomware infection that has stolen whole swathes of the English healthcare system in one go. The infection appears to exploit a bug that the NSA discovered and deliberately kept secret, only to have it revealed by the Shadow Brokers. Read the rest

HP's stupid audio-driver logs every keystroke you make (and it has an API!)

The Swiss security research firm Modzero just published a report documenting a grave flaw in HP laptops: an audio-driver made by Conexant that captures every keystroke (to detect volume up/down and mute-button presses) and saves them to an unencrypted file on the local system, which can then be exfiltrated via a debugging API that allows remote parties to see every keystroke in realtime. Read the rest

Apple's control-freakery is making the Internet of Shit shittier

The anonymous individual behind the must-follow Internet of Shit Twitter account now has a column in The Verge, and has devoted 1,500 words to documenting all the ways in which Apple's signature walled-garden approach to technology has created an Apple Home IoT platform that is not only manifestly totally broken, but also can't be fixed until Apple decides to do something about it -- and once you opt for Apple, you can forget about plugging in anything Apple hasn't greenlit, meaning that your choice of smartphone will determine what kind of toaster and lightswitch you're allowed to connect to your smarthome. Read the rest

Intel declared war on general purpose computing and lost, so now all our computers are broken

It's been a year since we warned that Intel's Management Engine -- a separate computer within your own computer, intended to verify and supervise the main system -- presented a terrifying, unauditable security risk that could lead to devastating, unstoppable attacks. Guess what happened next? Read the rest

Mobile phone security's been busted for years, and now 2-factor auth is busted too

The SS7 vulnerability has long been understood and publicized: anyone who spends $1000 or so for a mobile data roaming license can use the SS7 protocol to tell your phone company that your phone just showed up on their network and hijack all the traffic destined for your phone, including those handy SMSes used to verify sketchy attempts to log into your bank account and steal all your money. Read the rest

The "anti-patterns" that turned the IoT into the Internet of Shit

Cloudflare presents a primer on "anti-patterns" that have transformed IoT devices into ghastly security nightmares. Read the rest

India's controversial national ID scheme leaks fraud-friendly data for 130,000,000 people

Aadhaar kicked off in 2009, linking each Indian resident's biometric data and sensitive personally identifying information to a unique 12-digit number. Read the rest

More posts