Vtech breach dumps 4.8m families' information, toy security is to blame


Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints. Read the rest

Tiny open-source gadget simulates replacement Amex cards, disables chip-&-PIN


Hardware hacker/security researcher Samy Kamkar is legendary for his legion of playful, ha-ha-only-serious gadgets that show how terrible information security is, and now he's turned his attention to the American Express company, which turns out to be a goddamned train-wreck. Read the rest

Dell apologizes for preinstalling bogus root-certificate on computers

serial-number (1)

Yesterday, Dell was advising customers not to try to uninstall the bogus root certificate it had snuck onto their Windows machine, which would allow attackers to undetectably impersonate their work intranets, bank sites, or Google mail. Today, they apologized and offered an uninstaller -- even as we've learned that at least one SCADA controller was compromised by the bad cert, and that Dell has snuck even more bogus certs onto some of its machines. Read the rest

Not just Lenovo: Dell ships computers with self-signed root certificates


Last February, Lenovo shocked its security-conscious customers by pre-installing its own, self-signed root certificates on the machines it sold. These certificates, provided by a spyware advertising company called Superfish, made it possible for attackers create "secure" connections to undetectable fake versions of banking sites, corporate intranets, webmail providers, etc. Read the rest

How browser extensions steal logins & browsing habits; conduct corporate espionage


Seemingly harmless browser extensions that generate emojis, enlarge thumbnails, help you debug Javascript errors and other common utilities routinely run secret background processes that collect and retransmit your login credentials, private URLs that grant access to sensitive files, corporate secrets, full PDFs and other personally identifying, potentially compromising data. Read the rest

Zero: the number of security experts Ted Koppel consulted for hysterical cyberwar book


Ted Koppel's new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath warns of an impending disaster when America's critical infrastructure will be destroyed by cyberattackers, plunging the nation into a literal dark age. Read the rest

Manhattan DA calls for backdoors in all mobile operating systems


A new report from the Manhattan District Attorney calls for law requiring "any designer of an operating system for a smartphone or tablet manufactured, leased, or sold in the U.S. to ensure that data on its devices is accessible pursuant to a search warrant." Read the rest

Startup uses ultrasound chirps to covertly link and track all your devices

animation (2)

Silverpush, a startup that's just received $1.25M in venture capital, uses ultrasonic chirps that are emitted by apps, websites, and TV commercials to combine the identities associated with different devices (tablets, phones, computers, etc), so that your activity on all of them can be aggregated and sold to marketers. Read the rest

Hospitals are patient zero for the Internet of Things infosec epidemic


As I have often noted, medical devices have terrifyingly poor security models, even when compared to the rest of the nascent Internet of Things, where security is, at best, an afterthought (at worst, it's the enemy!). Read the rest

UK Snooper's Charter "would put an invisible landmine under every security researcher"

800px-Mines_warning_sign (1)

Respected UK tech elder statesman and journalist Rupert Goodwins blasts the UK government's plan to impose secret gag-orders on researchers who discover government-inserted security flaws in widely used products, with prison sentences of up to a year for blowing the whistle or even mentioning the gag orders in a court of law. Read the rest

UK law will allow secret backdoor orders for software, imprison you for disclosing them


Under the UK's new Snoopers Charter (AKA the Investigatory Powers Bill), the Secretary of State will be able to order companies to introduce security vulnerabilities into their software ("backdoors") and then bind those companies over to perpetual secrecy on the matter, with punishments of up to a year in prison for speaking out, even in court. Read the rest

The Economist's anti-ad-blocking tool was hacked and infected readers' computers


Pagefair is an ad-blocking circumvention tool that publishers can use to track readers who've taken technological countermeasures to protect their privacy. The company has sold its service to many publishers -- including the Economist -- by deploying moral arguments about the evils of ad-blocking. Read the rest

British government will (unsuccessfully) ban end-to-end encryption

Home Secretary Theresa May has introduced the long-awaited, frequently assayed Snoopers' Charter, and it is a complete disaster.

Hundreds of city police license plate cams are insecure and can be watched by anyone


Dave Maass from the Electronic Frontier Foundation writes, "Earlier this year, security researcher John Matherly alerted us to potentially massive vulnerabilities in a certain vendor's automated license plate reader systems. We dug into the data and found that, sure enough, hundreds of LPR systems were potentially vulnerable, with many openly accessible online." Read the rest

Botnets running on CCTVs and NASs


Researchers at Incapsula have discovered a botnet that runs on compromised CCTV cameras. There are hundreds of millions, if not billions, of these in the field, and like many Internet of Things devices, their security is an afterthought and not fit for purpose. Read the rest

Putting your kettle on the Internet of Things makes your wifi passwords an open secret


The $150 Smarter Ikettle lets you start your water boiling from anywhere in the world over the Internet -- and it also contains long-term serious security vulnerabilities that allow attackers to extract your wifi passwords from it. Read the rest

How the market for zero-day vulnerabilities works


Zero-days -- bugs that are unknown to both vendors and users -- are often weaponized by governments, criminals, and private arms dealers who sell to the highest bidders. The market for zero-days means that newly discovered bugs are liable to go unpatched until they are used in a high-profile cyberattack or independently discovered by researchers who'd rather keep their neighbors safe than make a profit. Read the rest

More posts