Crooks can guess Visa card details in six seconds by querying lots of websites at once

In Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?, a new paper in IEEE Security & Privacy, researchers from the University of Newcastle demonstrate a technique for guessing secruity details for credit-card numbers in six seconds -- attackers spread their guesses out across many websites at once, so no website gets enough bad guesses to lock the card or trigger a fraud detection system. Read the rest

My keynote from the O'Reilly Security Conference: "Security and feudalism: Own or be pwned"

Here's the 32 minute video of my presentation at last month's O'Reilly Security Conference in New York, "Security and feudalism: Own or be pwned." Read the rest

UK reports of webcam blackmail (sextortion, RATting, etc) more than double in 2016

So far 864 people in the UK have reported instances of "webcam blackmail" to police in 2016, more than double the number of reported incidents in 2015. Read the rest

The hacker who took over San Francisco's Muni got hacked

Last week, the San Francisco Municipal Light Rail system (the Muni) had to stop charging passengers to ride because a ransomware hacker had taken over its network and encrypted the drives of all of its servers. Read the rest

NTP: the rebirth of ailing, failing core network infrastructure

Network Time Protocol is how the computers you depend on know what time it is (this is critical to network operations, cryptography, and many other critical functions); NTP software was, until recently, stored in a proprietary format on a computer that no one had the password for (and which had not been updated in a decade), and maintained almost entirely by one person. Read the rest

Trump Tower has two "privately owned public spaces" that anyone is entitled to visit

In order to get permission to add an extra 20 floors to Trump Tower's plan, Donald Trump had to promise to build public amenities, "including access to restrooms, an atrium, and two upper-level gardens." Read the rest

The Snoopers Charter gives these 48 organisations unlimited, secret access to all UK browsing history

With the passage of the Snoopers Charter earlier this month, the UK has become the most-surveilled "democratic" state in the world, where service providers are required to retain at least a year's worth of their customers' browsing history and make it searchable, without a warrant, to a variety of agencies -- and no records are kept of these searches, making it virtually impossible to detect petty vendetta-settling, stalking, or systemic abuses (including selling access to criminals, foreign governments, and institutionalised racism). Read the rest

Two hackers are selling DDoS attacks from 400,000 IoT devices infected with the Mirai worm

The Mirai worm -- first seen attacking security journalist Brian Krebs with 620gbps floods, then taking down Level 3, Dyn and other hardened, well-provisioned internet giants, then spreading to every developed nation on Earth (and being used to take down some of those less-developed nations) despite being revealed as clumsy and amateurish (a situation remedied shortly after by hybridizing it with another IoT worm) -- is now bigger than ever, and you can rent time on it to punish journalists, knock countries offline, or take down chunks of the core internet. Read the rest

Ransomware creep accidentally hijacks San Francisco Muni, won't give it back

A ransomware criminal's self-reproducing malicious software spread through a critical network used by the San Francisco light rail system, AKA the Muni, and shut it down; the anonymous criminal -- cryptom27@yandex.com -- says they won't give it back until they get paid. Read the rest

Wisconsin: America's top voting-machine security expert says count was irregular; Fed judge says gerrymandering was unconstitutional

University of Michigan prof J Alex Halderman (previously) is one of America's top experts on voting machine security (see this, for example), and he's issued a joint statement with voting-rights attorney John Bonifaz to the Clinton campaign, advising them to ask for a recount of the Wisconsin votes. Read the rest

Listening to users is the first step in making them secure

Quinn Norton's lecture A Network of Sorrows: Small Adversaries and Small Allies at Hack.lu (helpfully transcribed by the Open Transcripts folks!) is a great call-to-arms for user-centered security. Read the rest

Even if you've ripped out your laptop's mic, hackers can listen in through your headphones

Realtek's audio chips -- found in Macs and many PCs -- can repurpose your laptop's headphone jack to serve as a mic jack, and capture audio through your headphones. Read the rest

Whaling: phishing for executives and celebrities

A fraudster's term of art, "whaling" refers to phishing attempts targeted at "C-level corporate executives, politicians and celebrities" -- it's a play on "phishing" (attacks that trick users into downloading dangerous files or visiting attack sites by impersonating known sources) and "whales" (a term of art from casinos, referring to high-stakes gamblers). Read the rest

Iphones secretly send your call history to Apple's cloud, even after you tell them not to

Apple has acknowledged that its Icloud service is a weak link in its security model, because by design Apple can gain access to encrypted data stored in its customers' accounts, which means that the company can be hacked, coerced or tricked into revealing otherwise secure customer data to law enforcement, spies and criminals. Read the rest

Office Depot techs accused of faking malware infections to meet sales targets

Seattle's KIRO TV made undercover visits to Office Depot stores in Washington state and Oregon and asked the technicians working in the store's "PC Health Check" to evaluate a working, uninfected PC; four out of six times, Office Depot technicians diagnosed nonexistent virus activity and prescribed $200 worth of service to get rid of it. Read the rest

Beyond Bad USB: Poisontap takes over your sleeping computer with a $5 USB stick

Prolific and dramatic security researcher Samy Kamkar (previously) has unveiled a terrifying device that reveals the devastating vulnerabilities of computers, even when in sleep mode. Read the rest

Your user data is secretly sent to China through a backdoor on some U.S. Android phones

Included for free with some Android phones: “a backdoor that sends all your text messages to China every 72 hours.”

Read the rest

More posts