FBI says to reboot your router ASAP to avoid Russia malware VPNFilter

Have you tried turning it off and on again?

The FBI sent out an urgent bulletin advising anyone with a home or small office internet router to immediately turn it off and then turn it on again as a way to help stop the spread of a malware outbreak with origins in Russia. Read the rest

FBI sinkholes a key domain used by the malware that infected 500,000 home routers, declares partial victory and Russian attribution

VPNFilter is a virulent, sophisticated, multistage worm that has successfully infected 500,000 home routers, leaving them vulnerable to both surveillance (the malware snoops network traffic for passwords) and region-wide internet shutdowns (VPNFilter can brick the routers it infects, and an attacker could shut down most or all of the home/small business internet access in a region by triggering this). Read the rest

500,000 home routers have been infected with VPNFilter, malware that steals data and bricks devices

VPNFilter is a sophisticated, multi-stage malware package, part of the new breed of boot-persistent malware (software that can survive a reboot); it targets home routers and network-attached storage devices, then steals passwords and logins that traverse the network and exfiltrates it to the creators' servers. Read the rest

The military sysadmins in charge of Trump's cellphones can't get him to give up wildly insecure practices

The White House Communications Agency, staffed with military information security experts, is in charge of making sure that the President's cellular phone isn't getting hacked by adversaries who might otherwise be able to listen in on his calls, capture his messages, intercept his search history, and remotely operate his camera and microphone. Donald Trump routinely ignores their advice. Read the rest

Efail: can email be saved?

The revelation that encrypted email is vulnerable to a variety of devastating attacks (collectively known as "Efail") has set off a round of soul-searching by internet security researchers and other technical people -- can we save email? Read the rest

App that let parents spy on teens stored thousands of kids' Apple ID passwords and usernames on an unsecured server

If you're the kind of parent who wants to spy on everything your kids do, you can force them to install an app like Teensafe, which only works if your kid doesn't use two-factor authentication; you have to give it your kid's device ID and password, so if that data leaks, it would allow anyone to break into your kid's cloud and plunder all their private data. Read the rest

A data-broker has been quietly selling realtime access to your cellphone's location, and they suck, so anyone could get it for free

Last week, the New York Times revealed that an obscure company called Securus was providing realtime location tracking to law enforcement, without checking the supposed "warrants" provided by cops, and that their system had been abused by a crooked sheriff to track his targets, including a judge (days later, a hacker showed that Securus's security was terrible, and their service would be trivial to hack and abuse). Read the rest

The secret, unaccountable location-tracking tool favored by dirty cops has been hacked (and it wasn’t hard)

Securus is the widely abused location-tracking tool that exploits a loophole in privacy law to allow police to extract realtime and historical cellphone location data without a warrant or any accountability. Read the rest

Uber and Lyft agree to stop forcing driver sexual assault victims into arbitration, confidentiality agreements

Ride-sharing services Uber and Lyft have now both stated that they will no longer force victims of sexual assault into non-binding arbitration, as has been the practice of both firms until today. Read the rest

Efail: researchers reveal worrying, unpatched vulnerabilities in encrypted email

A group of researchers have published a paper and associated website describing a clever attack on encrypted email that potentially allows an attacker to read encrypted emails sent in the past as well as current and future emails; EFF has recommended switching off PGP-based email encryption for now, to prevent attackers from tricking your email client into decrypting old emails and sending them to adversaries. Read the rest

A new strain of IoT malware can survive a reboot

As scary as the epidemics of malware for Internet of Things devices have been, they had one saving grace: because they only lived in RAM (where they were hard to detect!), they could be flushed just by rebooting the infected gadget. Read the rest

Nova Scotia premier won't apologise for libeling teen who discovered massive data breach

In the wake of the Nova Scotia police fully exonerating the 19 year old who accidentally discovered an open directory full of compromising personal information belonging to Nova Scotians, you'd think that Nova Scotia premier Stephen McNeil would apologise for having called the act "stealing." Read the rest

Nova Scotia abandons its attempt to destroy a teenager who stumbled on a wide-open directory of sensitive information

Last month, an unnamed 19-year-old Nova Scotian grew frustrated with the lack of a search interface for the province's public repository of responses to public records requests; he wanted to research the province's dispute with its public school teachers and didn't fancy manually clicking on thousands of links to documents to find the relevant ones, so he wrote a single line of code that downloaded all the public documents to his computer, from which he could search them with ease. Read the rest

Georgia's governor has vetoed SB 315, the state's catastrophically stupid cybersecurity law

When Georgia's legislature passed SB 315, a horribly misguided cybersecurity bill that criminalized routine security research, thus allowing bad guys to get much worse, everyone pinned their hopes on Governor Nathan Deal vetoing it. Read the rest

Equifax finally publishes a tally of what got breached when it left 146.6 million credit files unsecured

Ever since the news of the Equifax breach broke last September, we've been waiting for the company to publish an authoritative tally of what, exactly, got breached. Read the rest

Over 55,000 security camera DVRs are vulnerable to an exploit so simple it fits in a tweet

Last month, Argentinian security researcher Ezequiel Fernandez published CVE-2018-9995, a vulnerability he discovered in dozens of brands of DVR that are all based on the same white-label devices, TBK's DVR4104 and DVR4216.

Read the rest

Son of Spectre: researchers are about to announce eight more Meltdown-style defects in common microprocessors

The New Years revelation that decades' worth of Intel's processors had deep, scary defects called "Spectre" and "Meltdown" still has security experts reeling as they contemplate the scale of patching billions of devices that are vulnerable to attack. Read the rest

More posts