Drill a single hole in an ATM and you can comprehensively pwn it

A presentation by Igor Soumenkov at Kaspersky's Security Analyst Summit reveals that the method behind a rash of mysterious ATM heists that left behind no evidence of hacking -- only a single small hole drilled by the machines' PIN pads -- were likely accomplished by using the hole to insert a $15 connector that allowed thieves to hijack the ATMs and order them to spit out all their money. Read the rest

Samsung's created a new IoT OS, and it's a dumpster fire

Tizen is Samsung's long-touted OS to replace Android and Israeli security researcher Amihai Neiderman just delivered a talk on it at Kapersky Lab's Security Analyst Summit where he revealed 40 new 0-day flaws in the OS, and showed that he could trivially send malicious code updates to any Tizen device, from TVs to phones, thanks to amateurish mistakes of the sort not seen in real production environments for decades. Read the rest

Camera-equipped sex toy manufacturer ignores multiple warnings about horrible, gaping security vulnerability

The uniquely horribly named Svakom Siime Eye is an Internet of Things sex-toy with a wireless camera that allows you to stream video of the insides of your orifices as they are penetrated by it; researchers at the UK's Pen Test Partners discovered that once you login to it via the wifi network (default password "88888888"), you can root it and control it from anywhere in the world. Read the rest

Unesco warns the World Wide Web Consortium that DRM is incompatible with free expression

Unesco's Frank La Rue has published a letter to Tim Berners-Lee, Director of the World Wide Web Consortium, warning him of the grave free-speech consequences of making DRM for the web without ensuring that lawful activity that requires bypassing it is also protected. Read the rest

IBM reports data breaches were up 566% (4B docs!) last year

Information security is a race between peak indifference to surveillance and the point of no return for data-collection and retention. Read the rest

Self-study materials on the fundamentals of malware analysis

Amanda Rousseau's self-learning materials for her Malware Unicorn workshop are a fantastic introduction to understanding and analyzing malware, covering the techniques used by malware authors, reverse-engineering tools, and three kinds of analysis: triage, static and dynamic. Read the rest

Stingray for criminals: spreading mobile malware with fake cellphone towers

Police who rely on vulnerabilities in crooks' devices are terminally compromised; the best way to protect crime-victims is to publicize and repair defects in systems, but every time a hole is patched, the cops lose a tool they rely on the attack their own adversaries. Read the rest

"Unskilled group" is responsible for multiple, crappy ransomware attacks

Software can be thought of as a system for encapsulating the expertise of skilled practitioners; translate the hard-won expertise of a machinist or a dental technician or a bookkeeper into code, and people with little expertise in those fields can recreate many of the feats of the greatest virtuosos, just by hitting Enter. Read the rest

Miele's networked disinfecting hospital dishwasher has a gaping security flaw

The Miele PG 8528 is a "washer-disinfector" intended for hospitals and other locations with potentially dangerous pathogens on their dirty dishes; it's networked and smart. And dumb. Read the rest

Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates. Read the rest

How companies should plan for, and respond to, security breaches

Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers' data; undersecured it; and then failed to warn their customers that they were at risk. Read the rest

Longstanding, unpatched Bluetooth vulnerability lets burglars shut down Google security cameras

A security researcher has published a vulnerability and proof-of-concept exploits in Google's Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months since the disclosure. Read the rest

DHS bans laptops in the cabins of flights from 10 airports

The DHS has advised some airlines that flights originating from some overseas airports will only be allowed to land in the USA if passengers are required to check any electronic device bigger than a phone (excepting medical devices) in the hold. Read the rest

Justice Dept. to charge 2 Russian spies and 2 criminal hackers with 2014 Yahoo breach of 500 million accounts

Before today's anticipated announcement by the Justice Department, more details are already leaking out about who they're after: “two Russian spies, and two criminal hackers.”

Read the rest

CBP conducted more device searches at the border in Feb than in all of 2015

There's been precious little litgation about the Customs and Border Protection Agency's far-reaching policy of invasively searching devices at the US border, so it's a legal greyzone (but you do have some rights). Read the rest

Listen: how to secure software by caring about humans, not security

Scout Brody is executive director of Simply Secure, a nonprofit that works to make security and privacy technologies usable by technologically unsophisticated people by focusing on usability and human factors. Read the rest

Washington Post and Jigsaw launch a collaborative pop-up dictionary of security jargon

Information security's biggest obstacle isn't the mere insecurity of so many of our tools and services: it's the widespread lack of general knowledge about fundamental security concepts, which allows scammers to trick people into turning off or ignoring security red flags. Read the rest

More posts