Incidents Calendar

Events and noteworthy developments in digital security throughout 2016

The Incidents Calendar is best viewed when JavaScript is enabled on your web browser.

2017 | 2016

Digital Security

    • 1 Dec

      US: Rule 41 'mass hacking' change goes into effect

      On December 1, the controversial law known as 'Rule 41' took effect, effectively giving US law enforcement authorities the ability to hack thousands of devices with a single warrant. A bipartisan effort by senators to take a vote and delay the implementation of the law was rebuffed by Senate leaders.

      Rule 41 is promoted by its backers as being a practical, efficient response to modern online crimes, particularly botnets or mass infections which may involve multiple devices in multiple jurisdictions. Privacy and civil rights advocates however have highlighted that law enforcement authorities do not themselves have spotless track records in handling privacy or security concerns, and the new law does not clarify the legal framework around what is essentially government hacking.

    • 29 Dec

      Grizzly Steppe report released on US election hacking

      The US Department of Homeland Security and Federal Bureau of Investigations (FBI) jointly released a report entitled Grizzly Steppe, which details the hacking of the Democratic National Convention (DNC) and other recent attacks thought to be the work of Russian-backed hacking groups.

      While the report was produced in response to President Obama's request for a full review of intelligence related to the recent US election hacks, security researchers expressed disappointment over the report itself, highlighting a lack of supporting evidence to strongly link the attacks to Russian agents, as well as a lack of any data that could be useful for system administrators trying to harden their networks against attacks.

    • 30 Dec

      US expels Russian diplomats over election hacking

      35 Russian diplomats have been expelled from the United States in retaliation for what US intelligence believes to be Russian efforts to meddle in the nation's recent presidential elections.

      The expulsion are part of a package of punitive actions announced by President Obama, which include sanctions on a number of individuals and entities, in particular the two Russian state intelligence services. Also as part of the retaliatory measures, Russian officials are to be denied access to two recreational compounds located in Maryland and New York that are said to have been used for intelligence-gathering purposes.

      In a surprise move, Russian President Vladimir Putin has announced that US diplomats will not be expelled from Russia in the usual reciprocal diplomatic action. He went on to say that he would wait until president-elect Trump takes office on January 20 to see what the new administration would do.

    • 7 Nov

      China: stringent cybersecurity law passed

      China has passed new regulations that impose stringent data storage, surveillance, content and identity requirements on digital technoloy services operating in the country, causing unease among foreign companies concerned about potential conflicts over data security and privacy.

      The new legislation, which will go into effect in June 2017, will among other things require that users sign up for services using their real name and personal information; that companies store data related to Chinese users on servers in the country; and that the companies will render both access to data and any necessary assistance to authorities for national security and criminal investigations.

    • 21 Nov

      Thailand: plans to tighten cybersecurity

      The military government in Thailand is moving ahead with legislation that introduces new measures which critics say would give the state agencies increased powers to monitor the behavior of Thai citizens online.

      The proposed amendments to the country's Computer Crimes Act are would reportedly allow officials to obtain user data from service providers without court approval, seize computer equipment and remove or suspend sites that is thought to contravene social or moral norms. Opponents of the amendments have expressed concerns that the legislation would be used to crack down on anti-government sentiment, among other forms of online speech.

    • 21 Nov

      US: Rule 41 'mass hacking' bill delayed

      Lawmakers in the United States have made a bipartisan effort to delay proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure legislation, a procedural rule change that would allow judges to give warrants to law enforcement officers permitting them to hack devices in any jurisdiction.

      If not blocked by Congress, the amendment will automatically go into effect on 1 Dec 2016, though a bill known as the Review the Rule Act is currently being proposed to delay the change until July 2017.

    • 24 Nov

      UK: 'Snoopers' charter' mass surveillance bill passed

      The Investigatory Powers Act 2016 has been passed in the UK, providing government authorities in the country with the power to access data about the online activities of UK citizens in the last one year.

      According to reports, the new law will require Internet Service Providers (ISPs) to record all their customer's web history for a year and allow the data to be accessed by the authorities; it will also require that companies decrypt data when required to do so and give intelligence agencies the power to hack into citizen's devices.

      The bill is due to come into effect at the end of 2016, and has been characterized by opponents as "the most extreme surveillance law ever passed in a democracy". While some safeguards are included in the legislation, it has been roundly criticized by privacy advocates, technology companies, and the United Nations.

    • 3 Oct

      Mozilla, Apple distrust certs from WoSign, StartCom

      Mozilla and Apple separately announced their decisions to distrust new SSL certificates from the WoSign and StartCom certificate authorities (CAs) that are issued after October 21 2016. The move would mean that any websites signed by such certificates would no longer be accessible to users on the companies' respective web browsers.

      The dual decisions follow a report on poor technical practices by the CAs, which were said to have created new SHA1-signed certificates and then back-dated them to December 2015 in order to circumvent an industry-wide move to phase out such certificates after a January 1, 2016 deadline. WoSign also raised transparency concerns for failing to inform browser vendors about its purchase of the StartCom CA.

      The bans are expected to come into effect with the next version of the Firefox browser (due early next year), and in upcoming security releases for Apple's iOS and OS X platforms.

    • 27 Oct

      US FCC: New privacy regulations for ISPs

      The US Federal Communications Commission (FCC) approved new rules that regulate how Internet Service Providers (ISPs) handle their customer's information. The rules would require ISPs to explicitly obtain their customer's permission before the companies can share their sensitive data, which would include details such as geo-location, web browsing and app history and so on.

      The new rules have won praise from privacy advocates for improving user control over their data, and criticisms from industry officials for introducing additional complexity.

    • 28 Oct

      Europe: 'serious concerns' over Whatsapp - Facebook data sharing

      European privacy watchdogs have expressed 'serious concerns' about the recent changes to the privacy policy of popular messaging service Whatsapp. The recent changes allow the service to share certain user details with its parent company Facebook, leading authorities to question whether the data sharing is contravening privacy and data protection rules in the region.

    • 28 Oct

      US DMCA: Now legal to hack your own devices

      An exemption to the Digital Millenium Copyright Act (DMCA) came into affect in October, allowing Americans the right to hack their own devices without fear of the device manufacturer suing them for copyright infringement.

      The exemption is valid for a two-year trial period, and must be renewed at the end of that period. In addition, the user would still need to comply with the Computer Fraud and Abuse Act, in that any attempt to hack the product must be done in a "controlled controlled environment designed to avoid any harm to individuals or the public."

    • 11 Sep

      US: FBI use of malware for investigations is a 'search'

      A US federal judge overseeing a case between the Federal Bureau of Investigations (FBI) and a defendant accused of involvement in distiributing child pornography has ruled that the investigator's actions in remotely compromising the accused's computer is considered a 'search' under the Fourth Amendment.

      While previous rulings on the matter have been in line with the Department of Justice's view that hacking a computer does not 'constitute a search', Judge Ezra ruled that when considered in light of the Fourth Amendment of the US Constition, which grants citizens protection against 'unreasonable searches or seizures', such hacking is "unquestionably a 'search'".

      The latest decision could mean that investigators would need to obtain a warrant in order to use malware to perform investigations of digital assets, though the judge's ruling also noted that 'Congressional clarification' would be needed to delineate a judge's authority in issuing such a warrant.

    • 13 Sep

      NY: cyber security regulations for banks, insurers

      The Governor of New York has issued cyber security regulations for banks and insurers in the state, the first of its kind in the country that would require companies to, among other measures, set up cybersecurity programs amd appoint a Chief Information Officer to oversee cyber security matters.

      The regulations had been under negotiation such 2014, following a series of embarrassing data breaches and hacks that hit multiple high-profile companies in the country.

    • 14 Sep

      UK: Watchdog censures gov't over personal data security breaches

      The United Kingdom's National Audit Office (NAO) released a scathing report on the government's cyber security processes, which reportedly lead to multiple breaches of personal data security in the 2014 to 2015 period.

      According to the report, government departments currently maintain individual procedures for identifying and reporting failures in data security, creating a fragmented and chaotic reporting process. In addition, as departments are only required to self-report breaches, only 14 incidents were reported to the Information Commissioner during the period covered by the investigation, despite thousands more 'minor' ones being logged.

    • 27 Sep

      Germany: Facebook ordered to stop collecting Whatsapp user data

      Germany's national data protection authority has ordered Facebook to stop collecting user data from its subsidiary Whatsapp, and delete any details already gathered, after the parent company began collecting the information following a change in the terms and conditions for use of the popular messaging app. The instruction was given on grounds that the company had not requested for permission to collect such data in advance from the affected users.

      Facebook's recent move to collect user data from Whatsapp users had already sparked concern earlier in the month, given its earlier assurances that such information would remain untouched when the messaging app was bought over by the social media giant a couple years previously. According to media reports, multiple countries are currently investigating the legality of the data collection.

    • 12 Aug

      Pakistan National Assembly approves controversial cyber crime law

      Pakistan's National Assembly has given its approval to the Prevention of Electronic Crimes Bill (PECB) 2015. The legislation, which was drafted and submitted in response to growing concerns about online crimes, has come under fire from human rights and pro-democracy activists who are concerned that the vague language used in it can also lead to cases of misuse.

      The PECB Bill allows authorities to force Internet providers to remove or block access to any content related to a range of online offenses, including electronic fraud, harassment, stalking, blackmailing, terrorism support or recruitment, and more. The bill also grants the authorities a wide range of powers and penalties, including jail time, fines and the legal backing to compel individuals questioned during an investigation to unlock private devices.

      The bill must now be approved by the Senate before it can be formally signed into law.

    • 24 Aug

      France, Germany ponder encrypted message access after terror attacks

      Interior ministers in France and Germany have publicly said that they would ask the EU to allow state intelligence agencies more powers to compel encrypted messaging services to grant access to user data in the course of criminal investigations.

      The comments come in a year when both countries have suffered multiple terror-related attacks. While both countries grapple with the issue of identifying and countering terrorist threats, and the effect that encrypted communications have on those efforts, European privacy and data security laws have been increasingly strengthening, with support growing for the use of end-to-end encryption on messaging services.

    • 6 Jul

      EU: Bloc-wide NIS Directive on cyber security adopted

      Members of the European Parliament (MEPs) have formally voted to adopt the Network and Information Security (NIS) Directive, which is considered to be the first EU-wide cyber security ruling.

      The Directive requires that technology companies offering 'essential services' in the member states improve their security and reporting practices to deal with the threat of cyber attacks.

      Following its approval, member states have two years to bring individual national laws into line with the Directive, as well as identify the companies that would be considered as 'essential service' providers. The new rulings would affect companies in the finance, energy, transport and health sectors, as well as the more obvious technology sector.

    • 14 Jul

      US: 'Federal Deposit Insurance Corporation (FDIC) hack cover-up'

      A recently released report from the United State's House of Representative's Science, Space and Technology Committee announced that the Federal Deposit Insurance Corporation (FDIC) had been repeatedly hacked by external attackers from 2011 and 2013. The institution, which is charge of monitoring banks that do not fall under the purview of the Federal Reserve, has access to sensitive data related to thousands of banks operating in the United States.

      The Committee's report noted that hacks involved compromise of 12 workstations and 10 servers, and affected machines used by high-ranking executives in the organization. In addition, the report highlighted attempts by the Corporation's executives to obscure the extent of the hack when faced with enquiries by congressional investigators. 

      News reports covering the story highlighted claims that the breaches were perpetrated to Chinese hackers, though no mention of specific evidence to back the attribution has been confirmed. The Chinese government has refuted the claims, pointing out the lack of evidence.

    • 18 Jul

      US pushes to allow allies access to US-held data

      The United States is said to be working on an agreement that would grant allies the right to serve warrants for data or wiretap requests directly to American technology companies, in return for similar access to data held in the reciprocating country.

      Under current data-sharing agreements, foreign nations are required to contact local law enforcement authorities to pursue such data requests, rather than directly approaching the companies themselves.

      The new agreement would have to be approved by Congress before it can take effect, with the United Kingdom said to be the first in line for participation.

    • 25 Jul

      Estonia considering overseas citizen data backups

      The Estonian government is reportedly in talks with the United Kingdom and Luxembourg to explore the idea of creating a backup copy of official data on the country's citizens, to be held in so-called 'data embassies' based outside the nation. The impetus for the arrangement is saif to be as a safeguard against possible theft or destruction by other nation states.

      Estonia is considered to have one of the most technologically connected governments in the world, with many of its services being routinely accessed online. Its vulnerability to attack was underscored however by a cyberattack in 2007 that blocked access to many of these services for weeks.

      The talks with the UK and Luxembourg governments are reportedly in the early stages, with the impact from the UK's referendum to leave the EU likely still to be taken into account.

    • 26 Jul

      US: 'FBI to lead cyber crime incident response'

      Following closely on the heels of the Federal Bureau of Investigations' (FBI) probe into the hack of the Democratic National Committee (DNC), President Obama has announced a policy change to formally make the FBI the lead agency in responding to cyber incidents in the US. The FBI would have the responsibility of coordinating the nations' response during an investigation, regardless of where the attack is thought to originate.

      Under the new policy, the Department of Justice has been assigned to handle threat response activities under the direction of the FBI, while the Department of Homeland Security wouold cover 'asset respnse' and the Office of the Director of National Intelligence would direct 'intelligence support' activities.

    • 29 Jul

      Scope of US DNC hack expands, fallout continues

      The scope of the Democratic National Committee (DNC) hack has widened, with reports of suspicions that a consultant's personal email account had been infiltrated. In addition, reports have confirmed that a fund-raising website and a data analysis system used as part of the campaign for the party's presidential candidate, Hillary Clinton, were also compromised.

      The public fallout from the hack includes the resignation of multiple officials related to the organization and controversy over statements made by Republican presidential nominee Donald Trump that appeared to incite Russia to conduct attacks against the rival party's candidate.

    • 14 Jun

      US & China hold talks over cybersecurity issues

      The governments of the US and China met in Beijing to discuss their continued efforts to end state support for commercial cyberespionage attacks.

      The talks are seen as an outgrowth of the 'anti-hacking' accord that was signed by both presidents in September last year. In recent years, a series of high profile cyber espionage-related cases involving both government and commercial entities in the US have strained ties between the nations. China has denied that it supported the attacks on US institutions, and has said that it has itself been affected by such attacks in turn.

      Officials from both governments have said that their respective administrations are committed to building on last year's agreement to rebuild trust between the two countries and improve cooperation in when dealing with cyberespionage attacks.

    • 20 Jun

      Report: 'Chinese cyberespionage against US dropped sharply'

      A report from security researchers at FireEye has stated that the 'almost daily' barrage of attacks against US-based firms said to be perpetrated by hackers supported by China have dropped sharply in the last year.

      According to news reports, the rate of attacks had started to drop even before the Sept 2015 cybersecurity talks between the US and China, which had lead to a pledge by the President Xi Jinping to halt cyberespionage targeting US companies. The report from FireEye, as well as other security firms, have suggested that the hackers responsible for the cybersespionage attacks against the US have simply shifted focus to targets in other countries of interest.

      US government officials have not officially confirmed if they believe that the Chinese government is abiding by their committment, or whether they will pursue action for the intellectual property or personal data theft that was committed in earlier hacks.

    • 22 Jun

      US Senate rejects proposal to give FBI access to browser histories

      The US Senate has rejected a proposed amendment to the Commerce, Justice, Science, and Related Agencies Appropriations Act (2016) that would increase the FBI's warrantless surveillance powers. The amendment was put forward in the wake of the Orlando mass shooting.

      The '4787' amendment was promoted as a way to 'track lone wolves', and would have allowed the FBI to use its controversial national security letters to secure access to a suspect's Internet web browser history without requiring court approval. Opponents of the proposal have pointed out that the practice of using the national security letters to obtain data from tech companies and other parties of interest have already drawn transparency and privacy concerns.

      The Senate requires a minimum of 60 votes on an amendment before it can be advanced; the proposal fell short of that threshold by two votes.

    • 24 Jun

      Privacy Shield: US, EU come to terms about spying

      The US and the EU have reached on an accord regarding the bulk collection of data in transmissions sent from the EU to the US, a key area of contention that had lead to the cancellation of the previous Safe Harbour pact.

      Following extended negotiations, the Privacy Shield agreement that is to replace the defunct pact would include provisions that would allow for "highly targeted" data collection, only under "specific preconditions".

      The latest changes to the agreement also include clarifications on the role of an independent ombudsman to handle data-related complaints from EU citizens, and stricter data retention rules.

      If the current form of the agreement is approved by the remaining members of the EU, it is likely to go into effect from July 2016.

    • 26 Jun

      Snowden: Russia's 'Big Brother' bill 'unworkable, unjustifiable'

      Whistleblower Edward Snowden took to Twitter to denounce an anti-terrorism bill recently passed by the Russian Duma that would require the country's ISPs and telecommunications providers to archive six months' worth of user communications and make them available for law enforcement. According to news reports, the bill would also criminalize any expression of approval for any terrorism-related activities on social media. The bill also criminalizes failure to report 'reliable' information related to potential terrorism incidents.

      While the bill was ostensibly drafted in response to he bombing of a Russian jet over Egypt in October 2015, international human rights activists have expressed concern over the broad reach of the bill and its potential use for silencing opposition to the state, while at least some of the major telecommunications providers in the country have stated that the bill's requirements would impose massive infrastructure outlays.

    • 17 May

      EU: More powers to Europol to hunt terrorists, cyber-criminals

      The European Union has approved new governence rules for its law enforcement agency Europol, which would improve its ability to track terrorists and cybercriminals. The changes, which were approved by the overwhelming majority of EU MPs, would also provide greater oversight of the agency.

      The expanded mandate will make it easier for Europol to set up specialised units to deal with cross-border crimes, including terrorist threats. To encourage the data sharing that would underpin such efforts, the new rules require EU member states to share the information needed. It also sets guidelines for how the body can share its own data with private entities, such as social media networks, that would allow them to counter online terrorism propaganda more effectively.

      Given the expanded powers granted to Europol, the update also includes requirements for stronger data protection and government oversight. It also establishes a clear channel for complaints for EU citizens.

      The new rules are slated to go into effect on 1 May 2017.

    • 9 May

      US FTC & FCC probe security patching processes

      The United State's Federal Trade Commission (FTC) and Federal Communications Communication (FCC) have both launched investigations into how security updates are being distributed to smartphone end users. In separate enquiries, major smartphone manufacturers and telecommunications providers have both have been asked to provide details of how security updates are issued to their customers.

      While most of the smartphone manufacturers identified in the investigations provide devices for the Android platform, the FTC also contacted Microsoft, Blackberry and Apple to request further details of how they distribute security patches for the customers of their own mobile operating systems.

    • 10 May

      Privacy Int'l challenges UK gov't 'right to hack' ruling

      Non-government organization (NGO) Privacy International has filed a Judicial Review with the UK High Court, challenging the decision made by the Investigatory Powers Tribunal (IPT) that the government has the right to issue 'general hacking warrants'.

      Under current laws, the UK goverment is permitted to issue general warrants that allow organizations, such as the spy agency, to hack the devices of both UK and non-UK residents, without needing a judge to validate the warrant first.

      Among other objections to the decision, Privacy International has characterized it as an "unprecedented expansion of state surveillance capabilities", alleging that the warrants could be used to target broad swathes of the population.

    • 17 May

      Judge refuses Mozilla request to force FBI to disclose flaw

      A US federal court judge has denied Mozilla's request that the Federal Bureau of Investigations (FBI) provide the browser provider with information about a zero-day vulnerability the agency had used to track down anonymous users of a child pornography website. According to news reports, the enforcement agency had used an undisclosed vulnerability in the Tor browser to install a monitoring program on the computers of users who visited the website. The Tor browser is built on code from the Firefox web browser, but is configured to keep its users anonymous.

      Mozilla's request was filed during a separate court case involving the FBI and one of the website users identified during their operation, who had demanded that the agency disclose to his lawyers how he had been tracked. Mozilla filed a request asking that the FBI provide such information to the company first, before revealing it to the defense lawyers in the trial. The request reportedly stemmed from the browser vendor's concern that the vulnerability used in the case may also exist in its more popular Firefox web browser, potentially putting many more users at risk.

      The judge's decision to reject the request reportedly came after a plea from the US Justice Department that cited "national security" concerns. The judge determined that the FBI did not need to reveal details of the vulnerability to the defense team at all, essentially negating Mozilla's request to be first informed. Mozilla has insisted that the vulnerability should still be fixed in order to improve security for all users.

    • 17 May

      China reviewing products from foreign tech firms

      China is reportedly quietly conducting reviews of tech products sold in the country by foreign companies. The inspections are said to be scrutizing the encryption and data storage mechanisms used in the products.

      According to news reports, the reviews have not been officially disclosed by the government, but are said to have been ongoing since early last year, and are apparently conducted by a committee associated with the country's Internet control bureau, the Cyberspace Administration of China. Executives and employees from the foreign firms whose products are being reviewed are reportedly being required to disclose product or project details to the investigating committee.

      Other countries, such as Britain and the United States, have previously conducted technology reviews for foreign technology products being used by military or government personnel. This is however believed to be the first instance in which a government has conducted such a review of foreign products intended for general consumer use.

    • 17 May

      EU approves 'Network and Information Security Directive'

      The European Union has adopted new legislation that would require "essential services" operators and "digital service" providers to take or improve measures for managing the risks to their services and networks.

      Under the new Network and Information Security Directive, companies that provide services which are essential to critical social or economic activities (ranging from general utilities to search engines or online marketplaces) would be required to come up with appropriate risk management practices, as well as establishing processes for reporting major incidents to designated national authorities.

      Following the adoption of the legislation, each member state in the EU will have two years to make any necessary changes to their respective national laws in order to comply with the directive.

    • Apr 12

      Washington Post: 'FBI bought iPhone exploit from hackers'

      The Washington Post newspaper published a report alleging that the US Federal Bureau of Investigations (FBI) were able to break into the iPhone that had been at the center of their contentious court case against Apple after the agency purchased an exploit from 'professional hackers'. According to the report, the exploit had been uncovered by 'gray hat' hackers, so called because they find such flaws in order to sell them to governments and other entities, rather than disclosing them to vendors.

    • Apr 13

      Draft of US 'encryption' bill heavily criticized

      A few days after a copy was leaked online, the draft text of the proposed "Compliance with Court Orders Act of 2016" bill has been released. Written by Democratic Senator Diane Feinstein and Republican Senator Richard Burr, the legislation seeks to enforce the compliance of technology companies with court-issued demands for access to data. If the data requested is encrypted, the bill would require that it be rendered 'intelligible', effectively negating the encryption.

      Reaction to the draft has been swift and largely negative, not just from tech giants who would be most directly affected by the legislation but also from privacy and cybersecurity advocates. Commentators have been particularly critical of the overly-broad language used, and inherent conflicts between privacy and security concerns that are not adequately addressed. A group of tech coalitions subsequently published an open letter to the bill authors expressing their concerns over the potential impact on user's privacy and security if the legislation were to be passed.

      The proposed legislation is currently considered a 'discussion draft', with the text open to revision.

    • Apr 14

      Microsoft sues US Justice Dept over data gag orders

      Tech giant Microsoft has filed a suit against the US Justice Department over the use of gag orders that prevent the company from informing users when access to their personal data has been requested by a goverment agency. Microsoft contends that the government's use of gag orders is "unconstitutional", especially in light of the number of 'secrecy orders' the company received in an 18-month period.

      According to news reports, law enforcement authorities have said that the demand to keep data access requests secret from the owners of the affected data is necessary, for example to prevent possible suspects from deleting potential evidence if they become aware that their data is under scrutiny.

    • Apr 14

      GDPR data protection law ratified by EU Parliament

      The European Parliament has ratified a broad set of data-protection laws, which would allow companies to be held more responsible for protecting customer data in their care, as well as providing EU citizens with more control over the kind of information companies can keep about them. The legislation provides a uniform set of laws for all member states, potentially making it easier and simpler to businesses to legally operate in all countries within the bloc.

      The General Data Protection Regulation (GDPR) would require companies to ensure that their services and products are private and secure 'by default', rather than requiring users to opt-in for greater security. The legislation also mandated, among other things, 'clear and plain language' in explaining how the data would be protected or used, and fines for those who fail to comply.

      Though the GDPR is now in force, companies have until 4 May 2018 to make the necessary changes to comply with the new regulations.

    • Apr 14

      EFF sues US Justice Dept over secret decryption orders


    • Apr 15

      China blocks access to Medium website

      Popular independent publishing website Medium is now inaccessible to users in mainland China, since at least the second week of April, according to the company. No reason for the block has been given by the country's Internet regulator. Medium now joins other global content and social media services, including most notably Facebook, Google and WordPress, which are not available to normal citizens in the strictly regulated country.

      The timing of the block has spurred comment, coming as it does only a few days after the Panama Papers leak, in which prominent Chinese citizens were named. Medium had also recently announced that major news sites (which are already blocked in China) would start publishing content with Medium.

    • Mar 2

      Facebook exec detained as Brazil court demands whatsapp data

      A Facebook executive was detained and questioned, then subsequently released, as part of an ongoing investigation into a drug-trafficking operation in Brazil. The detention was related to a court order demanding access to data transmitted over the company's encrypted WhatsApp messaging service, which the Brazilian authorities believed would help in their investigation. Facebook has stated that it has no access to the data, making compliance to the court order impossible.

      The executive, Vice-President for Brazil Diego Dzodan, was released after an appeals judge overturned the order order used to detain him. The arrest comes on top of a reported fine of "1 million reais ($250,000)" imposed on the company for failing to comply with the order. In December 2015, a judge ordered a 48-hour suspension of the Whatsapp service after the company refused to comply with requests to share information; as in the more recent case, at the time the company said they were simply unable to provide the requested data. The suspension was later overturned by an appeals judge; while in force, it affected millions of users in the country.

    • Mar 9

      China building 'precrime' program to identify potential terrorists

      China is reportedly working on creating a program, based on data collected from monitoring on its own citizens, that would help the government "predict terrorist acts before they occur". Once a concept restricted to science fantasy, the so-called 'pre-crime' system is reportedly being actively pursued in the interests of maintaining domestic stability and security.

      The nation has had a long history of aggressively investing in a vast array of surveillance technologies, as well as using more old-fashioned networks of informants to gather information about suspected security threats in its population. Defense contractor China Electronics Technology has been tasked developing the software needed to make effective use of gathered data. Privacy advocates and security experts outside the country have raised concerns about both the intrusiveness and effectiveness of such a program.

    • Mar 10

      US senators propose fines for refusal to decrypt data

      Reuters news agency reports that a bipartisan bill is to be announced that, if passed, would impose civil penalties on technology companies that refuse to comply with court orders demanding assistance in gaining access to encrypted data stored on their products. The bill is expected to call for contempt of court charges and fines to be brought into play if a company balks at obeying a court order.

      The sucess of the proposal is currently uncertain, given the political gridlock currently affecting the US Congress and the more supportive attitude in the US House of Representatives towards digital privacy. It is also likely to be strongly opposed by Silicon Valley.

    • Mar 21

      FBI unexpectly postpones hearing in Apple case

      The intensely watched court case between the United State's Federal Bureau of Investigations (FBI) and tech giant Apple took and unexpected twist when the agency filed a motion to postpone an upcoming hearing. The announcement was accompanied by a statement that "an outside party" had demonstrated a way of unlocking the iPhone at the heart of the case (belonging to one of the San Bernardino attackers) without technical assistance from Apple. The FBI are said to be "cautiously optimistic" that the method is plausible, and are investigating further.

      The statement comes as a surprise following repeated claims from the FBI that Apple were the only ones with the capability to unlock the device without potentially damaging any data stored on it. The announcement has also raised further questions regarding the mysterious method, and whether the FBI will inform Apple of its details.

    • Mar 22

      FBI: 'We didn't say you should pay ransom demands"

      On December 15th 2015, US Senator Ron Wyden sent a letter to FBI Director James Comey regarding crypto-ransomware. The letter contained a list of questions, including: "FBI officials have been quoted as saying the Bureau often advises people "just to pay the ransom." Is this an accurate description of FBI policy with respect to ransomware?".

      The FBI recently responded to the Senator's letter, and note in it that the agency does "does not advise victims on whether or not to pay the ransom". It does however advise them that the use of regular backups, from which they can recover any data that is compromised, is "an effective way to minimize the impact of ransomware". It also noted that in the event that sufficient precautions have not been taken (or have failed), "and the individual or business still wants to recover their files, the victim's remaining alternative is to pay the ransom".

    • Mar 28

      FBI cracks terrorist's iPhone without help from Apple

      The FBI have announced that they were able to successfully retrieve data stored on the iPhone belonging to one of the San Bernardino terror attackers, without requiring the assistance it had been demanding from Apple. This follows weeks of repeated insistence that the company behind the iPhone were the only ones who could unlock the encrypted device without affecting the stored data.

      The official announcement gave no further details of how the agency was able to retrieve the data, or what they found. The government has also filed a request to withdraw the original court order requiring Apple to provide technical assistance. Apple had appealed the order, on privacy grounds.

      Speculation remains about how the FBI were able to finally access the device, and whether the agency would share details of how they did so with Apple.

    • Feb 17

      Documentary: 'US planned cyberattack if Iran talks failed'

      A documentary that premiered at the Berlin film festival claims that the United States had created a contingency plan for a cyberattack on Iran in the event of a military conflict if diplomatic efforts to limit the country's nuclear program were unsuccessful. The contingency planned, code-named Nitro Zeus, would have involved infiltrating and disabling Iran's air, power and communciations grids.

      Nitro Zeus was reportedly a followup to the "Olympic Games" attack in 2010 , in which the Stuxnet worm was used to infiltrate and compromise operations at an Iranian nuclear enrichment facility. The contingency plan was shelved after negotiations finally produced an agreement.

      The claims made in the documentary were independently investigated by the New York Times and Buzzfeed; no official confirmation of the allegations was provided by US agencies.

    • Feb 20

      FBI v. Apple iPhone 'unlock' case draws comments

      Following Apple's appeal against an order from a California judge to assist the FBI in 'unlocking' the iPhone of one of the December 2015 San Bernardino terror attackers, multiple parties have issued statements weighing in on either side of the debate. The first response came from the White House, which denied claims that the Justice Department were asking for a 'backdoor' to be created for all iPhones, and instead only wanted help with one device. Various other figures from the tech and IT security industries later published statements supporting Apple's stand and announcing that they would also fight against moves that may impact the security of their offerings.

      To complicate matters, a New York judge subsequently ruled against the governement in a separate case involving a request to compel Apple to provide data from an iPhone. In this case, the judge found that the government had used a overly "expansive" reading of the All Writs Act to support the request. The All Writs Act is the same act being used by the FBI to justify their request in the California case.

    • Mar 1

      France mulls fine for refusing requests to decrypt data

      In the wake of the November 2015 Paris terror attacks, French politicians are considering legislative changes that would "overhaul legal procedures and fight organized crime". Included in the bill under review is a proposal to impose penalties on technology companies that refuse to cooperate and provide access to encrypted data to facilitate terrorist investigations.

      The proposal would force companies such as Google and Apple (which is currently fighting a court order in the United States to 'unlock' the phone of one of the December 2015 San Bernardino terror attackers), to comply with security services in France if they demand such cooperation. Failure to comply could result in the company facing a EUR350,000 fine, as well as jail time of up to 5 years.

      The bill was passed by the lower chamber of parliament on first reading. It will proceed to be reviewed by the French Senate and then must pass final voting before it becomes law.

    • Feb 2

      New "Privacy Shield" pact to replace Safe Harbor

      The United States and the European Union have agreed to a new legal framework (referred to as the "EU-US Privacy Shield") that would allow the commercial transfer of user data between the two regions. This agreement would replace the previous Safe Harbor pact, which was revoked in October last year by the European Court of Justice over concerns about the United State's unwillingness to meet data privacy requirements for European user data.

      The details of the new pact still require political approval on both sides of the Atlantic, meaning that it could be months before the agreement goes into full effect.

    • Feb 9

      Facebook ordered to stop tracking non-users in France

      France's data protection authority CNIL has issued a formal notice to the social media company to comply with European data protection laws within three months or face the possibility of a sanction. The main concern revolved around the company's practice of silently tracking non-user's web activity, as well as the transfer of personal data to the United States.

      This is the firs significant legal challenge to be filed over data privacy concerns following the dismantling of the Safe Harbor trans-Atlantic pact between Europe and the United States. A subsequent three-month interim period (during which alternative arrangements were expected to be made) has also ended, allowing European data protection agencies to file legal action against companies that are still using the defunct agreement to justify data transfers.

      A new legal framework (dubbed the "EU-US Privacy Shield") to allow the continuation of such data transfers was agreed on last week but has not yet gone into affect.

    • Feb 11

      US Judicial Redress Act gives EU citizens right to sue

      The United States Senate has passed the Judicial Redress Act, which would give European citizens the right to sue American agencies that intentionally violate the US Privacy Act when handling their personal data. The Act also allows Europeans the right to sue an agency if it refuses to provide an opportunity to review or amend incorrect records.

      The Judicial Redress Act is not part of the revoked Safe Harbor pact, or its successor, the Privacy Shield pact. Instead, it is part of an umbrella agreement that is designed to give Europeans equal footing to American citizens in enforcing their data protection rights in US courts, and is viewed as a way of rebuilding trust between the US and the EU following the Snowden revelations. The Act still requires approval from US President Obama before it can go into effect.

    • Feb 12

      UK IPT tribunal: GCHQ hacking not illegal

      The Investigatory Powers Tribunal set up to hear legal challenges to the United Kingdoms' intelligence services have ruled that it is legal for GCHQ to hack into and install malware on systems both in the UK and abroad. The decision ends a case filed by Privacy International and associated claimants who alleged that the spy agency's actions violated human rights law.

      The judgement found that the Equipment Interference Code of Practice (a set of guidelines published by the Home Office to define actions the intelligence services can take when performing such surveillance) provided sufficient framework to allow the agencies to operate in a "lawful and proportionate" manner. An Investigatory Powers Bill that is due to become law later this year would provide further legal footing for the Code of Practice.


    • 14 Dec

      1 billion Yahoo! accounts compromised

      Following its September disclosure of a 2013 hack affecting more than 500 million accounts, Yahoo! was once again announced that its user accounts had been compromised in a separate hack that also took place in 2013, this time affecting over 1 billion accounts. The latest reported incident affects sensitive data such as names, dates of birth, encrypted passwords and telephone numbers. The company has said it will alert all affected users and require them to change their passwords.

      Yahoo! also announced that some of its proprietary code had been accessed by a hacker, allowing to forge cookies that would allow the intruders to access accounts without needing a password. The company said they have identified the accounts for which the cookies were used to gain access, and notified the account holders.

    • 2 Nov

      Hackers claim Kremlin office email leak

      Hackers from a Ukrainian group calling themselves the Cyber Alliance claim to have hacked into the email account belonging to an aid of Vladislav Surkov, a shadowy Russian government minister said to be close to President Putin. Emails leaked from the account purport to show Russia's interest and support of separatist movements in eastern Ukraine.

      News reports covering the incident have speculated that the technical sophistication and timing of the hack could tie it to a retaliatory effort by US intelligence agencies following suspected Russian hacking attempts related to the US elections. The Kremlin for its part has denied allegations of political maneuvering revealed in the leaks as well as speculation that the breach was a counterattack by foreign intelligence forces.

    • 9 Nov

      Yahoo!: Some employees knew about breach in 2014

      Yahoo revealed in a filing with the US Securities and Exchange Commision that some employees had discovered that the breach in its email accounts service as early as 2014.

      The revelation raises questions about why the company only confirmed the breach in 2016, though some reports suggest that it took a prolonged investigation to uncover the full scope of the breach.

    • 14 Nov

      AdulFriendFinder hack exposes 400 million accounts

      LeakedSource reported that 339 million accounts on the Adult FriendFinder website were exposed in a recent breach, as well as over 60 million accounts on the sister site. The leaked data included emails and passwords, with the data reportedly stretching back 20 years.

      FriendFinder Networks, the owner of the breached services, did not initially confirm or deny breach, though it did release a statement saying an investigation was underway following reports of "potential security vulnerabilities". The company began alerting its members to the security lapse a week after it was publicly reported in the news reports.

    • 15 Nov

      Backdoor on Blu Android phones found sending data to China

      Security researchers reported that low-cost Android phones from Blu Products contain a preinstalled software in their firmware which sent data from the devices to servers located in mainland China. The transmitted data included all text messages and phone call data, as well as location and app usage. the devices are sold in the United Sates, ans some 120,000 users in the country are said to be affected by the secret data collection.

      The software, which was characterized as a backdoor, was provided by the Shanghai Adups Technology company, which reportedly collects the data from the devices for advertising purposes. According to a company spokesman, the software was not intended for American consumers, and a software update will be issued to stop the devices from sending the collected data. Blu Products have said they were unaware of the preinstalled software, and that all data collected through it had been destroyed.

    • 17 Nov

      UK's Three Mobile hit by data breach

      The Three Mobile telecommunications service in the United Kingdom confirmed a data breach in its customer upgrade database. The incident was initially reported to have put the personal data of almost 6 million customers at risk, though later reports clarified that only about 134,000 customers had had their account details accessed.

      The amount of personal information that could have been taken from each account is said to vary depending on the type of contract the customer had, but at most would have included such details as address, date of birth, marital status and employment status. No bank details or credit/debit card information were affected.

      The breach is reported to have involved use of an employee login, and was discovered following complaints of scam callers targeting Three Mobile customers and attempting to get access to their bank accounts. Three individuals were arrested shortly after the news broke.

    • 20 Nov

      Second Android phone backdoor firmware reported

      Less than a week after a backdoor was reported in low-end Android phones from Blu Products comes news of another security issue involving insecure firmware developed in China and installed on Android devices.

      The second incident centers on firmware developed by the Chinese company Ragentek Group, which is used on some low-end Android devices to handle Over-the-Air (OTA) updates. Security researchers reported that the firmware uses an insecure mechanism to create unprotected, unencrypted connections to remote servers during the updating process. The unsecured connection essentially leaves an opening that attackers could use to intercept the OTA transmission and gain total control of the device.

      The devices containing the insecure firmware are sold by multiple manufacturers, and in multiple countries including the United States.

    • 13 Sep

      Yahoo! confirms massive email data breach

      Following media reports that the user credentials for Yahoo! mail accounts had been leaked online, the web giant has confirmed that it had been subjected to a massive data breach that involved data from at least 500 million user accounts. The number of accounts affected would make this the largest currently known data breach.

      The breach is reported to have occurred in 2014, and involved the loss of information such as names, email addresses, telephone numbers, dates of birth and hashed passwords, though not payment card data, or bank account details.

      Yahoo! also claimed that the hack was the work of a 'state-sponsored' actor. Following the revelation, the company has been hit by a class-action lawsuit, as well as multiple questions regarding the timing of the announcement and other aspects of the breach.

    • 19 Sep

      WADA confirms athlete data stolen, leaked

      The World Anti-Doping Agency (WADA) announced that a confidential database containing the medical records of athletes tested for performance-enhancing drugs had been hacked by a Russian cyber-espionage group. Data related to several prominent international athletes, including gymnast Simone Biles, tennis stars Venus and Serena Williams and Rafael Nadal, and runner Mo Farah, was subsequently publicly posted online.

      The hack is alleged to have been committed by the 'Fancy Bear' espionage group and is widely considered to be a retaliatory attack motivated by WADA's condemnation of Russia's state-sponsored cover-up of doping among its athletes.

    • 22 Sep

      White House staffer's personal email hacked, data published

      The White House announced an investigation into the breach of the personal email account of one of its staffers which resulted in the exposure of confidential information, including what appears to be an image of First Lady Michelle Obama's passport.

      News reports on the incident took pains to clarify that the staffer affected by the attack was a contractor who had worked on Hillary Clinton's campaign. Other details found in the leaked information revolved around logistics of the campaign.

      The leak itself is reportedly the work of a group calling themselves DCLeaks, who also claimed responsibility for an earlier release of emails stolen from the personal email account of former Secretary of State Colin Powell.

    • 27 Sep

      Louisiana public databases found exposed online

      A database containing the details of 2.9 million voters in the US state of Louisiana was found publicly exposed and accessible online. The database reportedly included such details as names, home addresses, phone numbers and political party affiliations.

      According to reports, the researchers who discovered the voter database also noted another database available on the same server that appeared to contain details from the state's Department of Public Safety. Following the reports, both databases have been taken offline.

      While the information contained in the databases are available as public records, the fact that such material is so accessible online without any form of protection is of concern to data security and privacy advocates, as the easy availability of such details makes identity fraud and other crimes much easier to perpetrate

    • 16 Aug

      Infected POS systems at multiple hotels steal credit card data

      Payment systems at 20 hotels owned by the hotel chain HEI have reportedly been found to be infected with malware, which could steal credit card numbers and corresponding customer names.

      The HEI chain owns the Starwood, Marriott, Hyatt and Intercontinental hotels. The Point-of-Sale (POS) terminals that were infected by malware were used onsite, meaning that online transactions were not compromised.

      Reports said that the malware had apparently been active since early December 2015. While there are no confirmed count of the number of customers affected, estimates generally range from thousands to the tens of thousands, depending on the property.

    • 13 Aug

      'Guccifer 2.0' hacker dumps data on US House Democrats

      The hacker who claimed to be behind the recent hack of the Democratic National Committee has also claimed responsibility for a breach of the Democratic Congressional Campaign Committee, and published a trove of information about the representatives to prove his claim.

      The data dump included personal information such as home and email addresses and contact numbers for some of the representatives. 

    • 24 Aug

      Massive data leak on Indian Scorpene submarine project

      The Australian media broke the news that over 22,000 pages of information had been leaked about a submarine construction project being undertaken by the French manufacturing firm DCNS for the Indian government. The highly sensitive information about the Scorpene-class vessels included details about the weapons, combat management, communication and navigation systems.

      In response to the the news, India opened an investigation into how the confidential data could have been leaked. The security breach has been called 'economic warfare' by the manufacturing firm.

    • 25 Aug

      Whatsapp to share users' phone number & statistics with Facebook

      The popular Whatsapp messaging service announced that it would be changing its terms of service to allow it to share the phone numbers of its users with its parent company Facebook, along with some statistical and analytical data. This is the first change made to the service's terms since it was first bought over by the social media giant two years ago.

      Users motivated by privacy concerns have 30 days to opt out of the data sharing, which can be done once a prompt is displayed asking the user to agree to the new terms and conditions.

    • 31 Aug

      2012 Dropbox hack included 68 million user login details

      Cloud storage service Dropbox confirmed that an attack which took place in 2012 not only resulted in the loss of some user's email addresses, but also the compromise of over 68 million user login credentials, both email addresses and passwords.

      The news follows a recent move by the service pushing users who had not reset their passwords since 2012 to do so. While a company spokesman has said there is no evidence that user accounts had been improperly accessed, users are urged to reset their passwords as soon as possible. This includes ensuring that the new password used is not reused on another web service.

    • 5 Jul

      WikiLeaks publishes H. Clinton's Iraq War emails

      Whistleblowing website WikiLeaks has published a trove of over 1,000 emails from Hillary Clinton's private email server related to the Iraq War.

      The release of the emails was apparently timed to coincide with the release of the Chilcot Report, a public inquiry investigating Britain's entry into the Iraq War.

    • 14 Jul

      Microsoft wins appeal against US warrant for data stored overseas

      Microsoft has won its appeal against a search warrant that would have given the US government access to customer emails that are stored on servers located outside the United States.

      The decision by the federal appeals court was made on the grounds that the US domestic search warrant, which was issued on the basis of the Stored Communications Act, could not be extended extraterritorially to encompass servers based in a foreign nation.

      The decision has been hailed as a victory by privacy advocates and other observers concerned about the increasing breadth of governmental access to user data.

    • 20 Jul

      WikiLeaks publishes 300k emails allegedly from Turkey gov't

      WikiLeaks has published almost 300,000 emails said to be from Turkey's ruling Justice and Development (AKP) political party. The leak follows on the heels of an aborted military coup in the nation, and a swift crackdown on military, government, police and education personnel accused of being involved or associated with the coup plotters.

      Following the release of the emails, the site has been criticized for including databases that held the personally identifiable information of millions of Turkish citizens. In additon, reports have noted that the leaked material does not appear to contain emails of significance from the AKP party or from Turkish president Recep Tayyip Erdogan.

    • 21 Jul

      France: Microsoft Windows 10's data collection 'excessive'

      France's data protection commission CNIL has issued a report saying that Microsoft's Windows 10 operating system 'excessively' collected information from the user, as well as engaged in intrusive browser activity tracking intended to support personalized advertising.

      The commission gave the company three months to find a way to end the highlighted behavior, failing which sanctions may be issued.

    • 22 Jul

      WikiLeaks publishes 20,000 enails leaked from US DNC

      WikiLeaks published almost 20,000 emails from the Democratic National Committee (DNC), reportedly leaked from the email accounts of seven DNC officials.

      The leaked emails are said to contradict the DNC's public stance of neutrality in the contest between Hillary Clinton and Bernie Sanders to be the Democratic Party's nominee for the presidential race.

      While the leak has impacted on the DNC itself with the resignation of at least one official from the organization, the WikiLeaks website has also come under criticism for publishing the personally identifiable information of party members and other individuals contacted by the committee.

    • 3 Jun

      TeamViewer account hijackings reported, hack disputed

      Popular remote control software TeamViewer has come under fire recently, as multiple reports have surfaced of user accounts being 'hijacked' and used to steal money from the affected users.

      Affected users have taken to social media to highlight their issues, and while some claim that the hijacks were the result of a hack of the TeamViewer software or network, the company itself has countered that it is more likely to be due to unsafe user practices such as reusing passwords.

      'Anti- hacking' measures have nevertheless been announced, including alerts when new logins from an unknown device or location are made to an account.

    • 10 Jun

      Twitter, VerticalScope account details posted online, hack disputed

      The LeakedSource website claims that 32 million passwords for the Twitter social network have been uploaded to the site for sale. In the same period, the VeticalScope media company, which runs dozens of online sites such as and, said that they were investigating reports that over 45 million account records related to their online properties had been stolen and uploaded to the same website.

      When asked about the allegations, Twitter reported that it had investigated the data available, and was 'confident that its systems had not been breached'. According to reports, the data found in the trove may instead stem from passwords gathered by malware infecting web browsers on user's machines, rather than directly from the social network itself. Security researchers have also questioned the authenticity of the material uploaded to the LeakedSource site, suggesting that it may instead have been compiled from older leaks.

      In the case of the VerticalScope data leak, according to the LeakedSource website, the records contained details including the account name, password and IP address. While there has been no confirmation of how the details were obtained, news reports have noted that many of the VerticalScope-run websites used forum software that was outdated and included vulnerabilities that would have been easily exploitable by hackers.

      The LeakedSource website itself has also highlighted the possibility that VerticalScope had "stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale."; other security experts have commented that such an arrangement seems unlikely.

    • 15 Jun

      xDedic online market for hacked servers reported

      Security researchers announced the discovery of an underground online market offering hacked servers for sale. The hacked servers, which are located around the world, are reportedly 'pre-infected' with a variety of malware, allowing the 'buyers' to use them to launch attacks and perform other malicious actions.

      According to news reports, the XDedic market lists over 70,000 compromised servers, belonging to organization such as universities, businesses and even government organizations.

    • 16 Jun

      DNC hack: Russian state-backed hackers or 'Guccifer 2.0'?

      The Democratic National Committee (DNC) announced that hackers had been able to access its network and steal research related to the Democratic Party's current opponent, presidential candidate Donald Trump. According to news reports, after finding suspicious activity in the network, the DNC called in security experts and discovered that the hackers penetrated enough to be able to read all emails and chat traffic being transmitted over the network. No personal data or financial information however was stolen during the course of the intrusion.

      In the announcement, the DNC also explicitly identified the attack as being the work of Russian government-backed hackers. For its part, Russia has denied any involvement in the hack, claiming that it is more likely to have been the result of someone 'forgetting the password' rather than an orchestrated attack.

      The security experts investigating the hack noted that in fact two separate hacking groups had been able to hack the network, with one gaining a foothold last year and the other in April of this year, with the latter's intrusion being the one that triggered the discovery. The two groups, dubbed Cozy Bear and Fancy Bear respectively, are not thought to have been working together.

      Following the flurry of news reports covering the DNC hack, a hacker using the moniker 'Guccifer 2.0' claimed responsibility for the hack, and that there was no link to the Russians. As proof, the hacker posted a number of the documents online and sent them to media outlets as well. There has been a certain amount of skepticism over the hacker's claims however, as there is no way to verify their identity and the DNC has not publicly authenticated the documents posted.

    • 16 Jun

      GitHub, Gotomypc hit by 'password reuse' attacks

      Code repository service GitHub and remote computer access service GoToMyPC were both affected by attacks that used login credentials previously exposed in the recent passwords dumps to try and gain access to accounts.

      Following what is referred to as 'password re-use' attacks, both services moved to reset account passwords, either for those that had been directly compromised or for all accounts. Neither service confirmed the number of accounts that had been compromised during the attacks.

    • 29 Jun

      Global terrorism database exposed online

      A database containing information on people with suspected links to, among other things, terrorism and organized crime, has reportedly been found exposed online.

      According to reports, what is known as the World-Check risk intelligence database contains 2.2 million records identifying individuals (and organizations) and the suspicions against them, including such sensitive information as alleged criminal histories. The database is used by financial institutions, as well as government and intelligence agencies, and access to it is meant to be highly restricted. The security researcher who reported the discovery noted that the database was found on an unsecured server with no protection.

      Following a report highlighting the issue to Thomson Reuters, which owns the database, the 'leaked' copy was reportedly removed. The version that was found was said to be from 2012 and out-of-date. In the past, there has been controversy over the incorrect listing of individuals in the World-Check database as having terrorist links, and lack of redress available to customers whose bank accounts were unduly affected by a secretive assessment based on use of the database.

    • 9 May

      Database of 'Panama Papers' documents now available online

      A huge database containing the documents leaked from Panama-based law firm Mossack Fonseca has become available online, giving interested parties full access to some 11.5 million documents related to more than 200,000 offshore accounts.

      The database, which is operated by the International Consortium of Investigative Journalists (ICJ), contained details about the hidden wealth of prominent figures from countries around the world, ranging from politicans to movie stars. ICJ has said that documents made available do not include records of bank accounts, passwords or other such potentially compromising details.

      While the offshore funds detailed in the leaked documents are not illegal, their potential for use in avoiding tax payments have led to the launch of investigations in multiple countries. The law firm at the center of the leak has denied any suggestions of wrongdoing.

    • 14 May

      More bank data allegedly leaked by Bozkurtlar hackers

      Turkish hacking group Bozkurtlar (translated as Grey Wolves) announced that they posted data from 5 South Asian banks online. The latest announcement follows their hack of Qatar National Bank, as well as a (disputed) hack of InvestBank in the United Arab Emirates.

      Despite the hacking group's claims, security researchers reviewing the leaked data have raised doubts about whether the material came from a recent hack, or were simply gathered from older breaches. Nevertheless, as reports indicate that data included account details (such as full name, addresses and family information), the leaks are of concern to banks' customers.

      As no further demands have been made by the hackers, commentators have speculated that the data breach was done either because of political motivations, or to use the ensuing publicity to damage the reputations of the affected banks.

    • 12 May

      Personal data of prominent Chinese figures leaked online

      A Twitter account was for a short time posting personal information related to prominent Chinese citizens, ranging from politicians to industry leaders and celebrities. The account ("shenfenzheng", which translates as "personal id") was used to show photographs and screenshots of everything from official identification numbers to home addresses and educational records.

      The account has since been closed for violating Twitter's own policy forbidding the publication of personal data. No reports have identified the account's operator, who was apparently able to circumvent the notorious Great Firewall of China, which prevents the country's citizens from accessing some foreign services (including Twitter itself).

      Based on comments posted by the operator, the intended purpose of the account was to highlight the easy accessibility of such confidential data in China. According to reports, none of the persons whose data was exposed by the account, nor the public security ministry, have publicly commented on the incident.

    • 14 May

      Hacker site hacked, user data leaked

      In an ironic twist of fate, an underground forum used by hackers to buy or sell leaked content has itself been hacked, and data about the forum users posted online. The leaked data reportedly contains information about over 500,000 accounts, including personal messages, transactions, IP addresses and other details.

      There has been thus far been no public confirmation of how the breach was executed, though news reports have noted that the forum software in use contained multiple critical vulnerabilities.

    • 18 May

      LinkedIn resets passwords for 117M accounts affected by breach

      Social network site LinkedIn has begun invalidating and resetting passwords for about 117 million accounts which were found to be affected by a data breach that occurred in 2012. The move was made after security researcher noted that a hacker had offered the account login credentials for sale on The Real Deal undeground online market for USD2200.

      At the time of the breach, researchers believed only 6.5 million accounts had been compromised. In addition to resetting the passwords on affected accounts, LinkedIn has recommended that users ensure that they do not reuse the same password on more than one site and enable two-factor authentication.

    • 30 May

      Password leaks: 427M for MySpace, 65M for Tumbler, 40M for Fling

      Just a few days after the LinkedIn password leak, reports have emerged of a hacker (using the pseudonym 'peace_of_mind') offering to sell 427 million MySpace passwords. The social network giant has so far not commented on reports about the leak.

      Earlier this month, the same hacker who claimed responsibility for the MySpace leak was also reportedly behind the leak of 40 million passwords for accounts on the adult personal ads site Fling.

      In related news, a security researcher also reported receiving a data dump from an anonymous source containing passwords for Tumblr accounts. Unlike the recent leaks from MySpace and LinkedIn, in which the passwords had only been encrypted with the SHA-1 hash and had been comparatively easier to break, the Tumblr passwords had reportedly been salted and hashed, making them more difficult to crack.

    • Apr 5

      Panama Papers leak causes international furore

      A secretive law firm based in Panama has sufferred what is being called the biggest data leak in history, after 11 million internal documents were leaked to an international coalition of investigative journalists. The firm in question, Mossack Fonseca, specialized in facilitating offshore companies; such entities are often used by wealthy individuals as a means to (legally) maintain funds outside of a country's tax jurisdiction, but could also be used for less reputable purposes.

      Reports published based on information revealed in the leaked documents have identified prominent individuals as Mossack Fonseca clients, including politicians, celebrities and business figures. Such revelations have also lead to questions regarding the named individual's use of offshore banking.

      The scandal has already claimed at least one political casualty, as the Icelandic Prime Minister resigned amid allegations that he had concealed millions in an offshore company. Police investigations have also been launched in various countries based on information uncovered in the leaked papers.


      Speculation has also been rife about the identity of the mysterious whistleblower responsible for releasing the massive trove of documents to the media, with one prominent whistleblower alleging that the leak was the work of a US intelligence service.

    • Apr 6

      50M Turkish citizen's identity database posted online

      A file containing what appears to be authentic identity data of some 50 million Turkish citizens was recently leaked online, prompting privacy concerns. The database contains sensitive information such as full names, addresses, birth dates and parents names, though it does not include finance-related information such as credit card details. The amount of personally-identifying content exposed by the leak has however raised fears of potential identity fraud and other such misuse of the now-public information.

      The Turkish government has launched an investigation into how the database could have been obtained, and has publicly downplayed the significance of the breach. The leak was also accompanied by messages directed at the Turkish government, prompting speculation that it had been politically motivated.

      At the time of the leak, it was considered the biggest of its kind, though it was eclipsed only a few days later by the leak of voter details in the Philippines, which affected 55 million citizens.

    • Apr 7

      'Freaking huge' Philippines voter info leak

      The entire database of the Philippines' Commission on Elections (COMELEC) has reportedly been posted online, in what has been called the largest government-data related data breach in history. According to news reports, the leak is attributed to LulzSec Philippines, and follows an attack only days prior in which Anonymous Philippines defaced the COMELEC website.

      The leaked database contained personal details of 55 million citizens, including such sensitive information as passport information and fingerprint data. The exposure of so much personally-identifiable information has raise fears of identity theft.

      Filipino authorities are investigating how the data was stolen.

    • Apr 14

      Researchers: URL shortening hackable to view private content

      Researchers at Cornell Tech have published their research on how "brute-forcing" shortened links allowed them to view private shared content stored on cloud storage services. The research focused on the Microsoft OneDrive and Google Maps services, which allows users to share private content with other users using links that are shortened (reduced to a domain name and up to 6 random characters) with the shortening service.

      According to the researchers, the 6-character length of the shortened links would make it feasible for a determined attacker to randomly generate and test millions of shortened links, until they find a link that gives them access to privately-shared content. The researchers demonstrated the viability of their "brute-forcing" method to Google and Microsoft before publication of their work, and both subsequently made changes to how users could share their content.

    • Mar 8

      Seagate employee data lost in phishing scam

      Data storage company Seagate reported that it had sufferred a phishing attack which resulted in the loss of thousands of tax documents from its employees, both past and present. As in the recently-reported case involving Snapchat, an email message impersonating the firm's CEO was sent to the company's finance and human resources deparments openly requesting the documents.

      According to the company, federal authorities were notified of the loss. Though no reports have confirmed the number of employees thought to be affected by the breach, there are fears that the stolen data would be used to perpetrate income tax fraud.

    • Mar 24

      Verizon Enterprise Solutions hit by data breach

      Verizon Enterprise Solutions, a unit of the telecommunications company that handles data breaches at Fortune 500 companies, has reported that an attacker was able to exploit a security vulnerability on its enterprise client portal to steal the contact details of 1.5 million enterprise customers (consumer customers were reportedly not affected).

      The stolen data was reportedly later offered for sale on an underground forum. Affected customers are currently being notified of the breach.

    • Feb 25

      Judge: CMU provided FBI with cracked Tor info

      An ongoing criminal case against Brian Farrell, allegedly one of the administrators of the Silk Road 2.0 drugs bazaar, unexpectedly lead to the issuance of a court order that revealed more details of the suspected relationship between Carnegie Mellon University's Software Engineering Institute (SEI) and the FBI.

      According to news reports covering the revelation, SEI had been pursuing Department of Defense (DoD) research that involved using a vulnerability in Tor software to reveal the true IP addresses of its anonymized users. The researchers were able to carry out a month-long attack that gathered details of the user's IP addresses; this data was subsequently subpoenaed and handed over to the FBI after the agency learned of the successful attack.

    • Feb 29

      Phishing scam leads to Snapchat employee data leak

      Snapchat has announced that some of its employee data was compromised, after an attacker used an email message pretending to be from Snapchat CEO Evan Spiegel to successfully trick an employee into forwarding the information.

      The company responded swiftly, taking action "within 4 hours" and reporting it to the FBI. It also made clear that the leaked data was purely internal, as user data was unaffected by the leak. News coverage of the incident has been quick to point out that even presumably tech-savvy individuals are not immune to phishing, the low-tech social engineering tactic used in this instance and which typically involves impersonating a legitimate contact in order to gain trust.

    • Jan 13

      Hardcoded password reported in Fortinet software

      Security researchers announced the discovery of suspicious code in older versions of the FortiOS software used in some network products from Fortinet. According to news reports, the code involved an authentication routine which included a 'secret' hardcoded SSH login password. A Python script that could exploit this secret was made public, essentially allowing anyone who uses the script on affected devices to gain administrator-level access.

      Publicly described by researchers as a 'backdoor', Fortinet has disputed such categorization, calling it instead a 'management authentication issue', and saying that it has been addressed and resolved in a patch made available in July 2014.

      The revelation comes only a month after Juniper Network revealed the existance of an unauthorized backdoor on some of its products.

    • Jan 14

      US Intelligence director's email, phone hacked

      News site Motherboard has reported that the personal email account and home phone of James Clapper, the Director of US National Intelligence, has been hacked.

      The incident follows a similar attack on the personal account of CIA director John Brennan a couple months earlier, and is attributed to the same hackers, called "Crackas with Attitude". According to reports, the hackers also hacked the director's wife's personal email account, and forwarded calls to the director's home phone to the Free Palestine Movement.

      The Office of the Director of National Intelligence confirmed the incident, saying that they were aware of it and had "reported it to the appropriate authorities".

    • Jan 22

      More Fortinet products found with 'secret backdoor'

      Following the identification of what was described as a 'secret backdoor' on older versions of its FortiOS software, Fortinet officials have announced that a review of its products lead to the discovery of the same issue on several other current products. The company has issued updates for the affected devices, and urge customers to update their systems with the highest priority.

    • Jan 26

      Irish gov't sites, lottery, hit by DDoS attacks

      Irish goverment sites were the latest targets of a wave of Distributed Denial of Service (DDoS) attacks to hit Irish services in the space of a week. Irish media reported that websites for the Central Statistics Office, the Department of Justice and the Court Services were briefly unavailable; this follows similar incidents involves discussion boards and the National Lottery.

      Though speculation has abounded about the perpetrators and intent behind the attacks, no confirmed attribution has been made so far.


    • 8 Dec

      ThyssenKrupp trade secrets stolen in targeted attack

      Major steel manufacturer ThyssenKrupp AG announced that technical trade secrets had been stolen from their steel production and manufacturering plant design divisions in cyber attacks earlier this year.

      The attacks, which the company characterized as "organized, highly professional hacker activities" were said to have been launched from South East Asia and was able to exfiltrate data from a number of sites around the world until the activity was detected. The company was able to remove the infection and implement new safeguards. ThyssenKrupp AG has since filed a criminal complaint with German authorities and are working with law enforcement to further investigate the attacks.

    • 26 Dec

      Leet DDoS botnet hits Incapsula CDN with 650Gbps traffic

      Content Delivery Network (CDN) Imperva Incapsula reported being hit by a Distributed Denial of Service (DDoS) attack on December 21 that peaked at 650Gbps, making it one of the largest of such attacks on record so far.

      According to the reports of the incident, the traffic came from spoofed IP addresses, making it impossible to identify the geolocation of the actual devices sending the traffic or their nature. Analysis of the traffic packets however indicates that the attack came from a botnet, which the researchers named the 'Leet' botnet after a signature found in the code.

    • 10 Oct

      BBC: France TV5 Monde hack 'work of Russian hackers'

      BBC News reported that the 2015 attack on France's TV5 Monde news station, which lead to the prominent broadcaster going dark for several hours, had been the work of Russian hackers, rather than pro-IS hackers as originally reported.

      The report highlighted the extensive reconnaissance that had to have been done to create specialized malware tailored to disrupt the station's broadcasts, and that the aim of the malware was clearly destructive. The malware is reportedly linked to the known cyber espionage group APT 28 (also known as Fancy Bear, Sofancy and Pawn Storm) and most recently accredited with the WADA medical data leak.

    • 11 Oct

      UN nuclear watchdogs says nuclear plant targeted by cyber attack

      The director of the International Atomic Energy Agency (IAEA), the United Nations' nuclear watchdog, announced that a nuclear plant had been the target of a cyber attack two or three years ago. The director gave few other details of the attack other than to state that the aim appeared to be to smuggle out nuclear materials, possibly for bomb-making.

    • 16 Oct

      DDoS attack on Dyn DNS downs numerous sites

      A massive DDoS attack exploited accessible web-connected devices to generate sufficient traffic to disrupt the Dyn DNS service, which is used by a number of major websites to handle their web traffic. The attack lead to outages or slowness on sites such as Twitter, Soundcloud, Spotify, GitHub, PayPal and Reddit, mainly affecting users in the East Coast of the US and parts of Europe.

      The attack was reportedly coordinated using the Mirai botnet, the same malware/collective that was involved in the earlier attack on security researcher Brian Kreb's website.

      The incident underlines rising concerns among that DDoS attacks are becoming far larger and more disruptive than in the past. This may be the first DDoS attack that has also resulted in the significant recall of products used to perpetrate the attack, as Chinese manufacturer Xiaomai made the move after acknowledging that the factory-default configuration of its webcams had allowed hackers to gain control of the products for their own use.

    • 25 Sep

      KrebsOnSecurity, Blizzard, OVH hit by DDoS attacks

      Distributed Denial of Service (DDoS) attacks made headlines during september as multiple notable sites or services reported coming under attack during the September. this week.

      Popular cybersecurity researcher Brian Kreb's KrebsonSecurity website, the Blizzard gaming platform and Frenching hosting firm OVH all reported being subjected to DDoS attacks. Especially notable was the fact that attacks on KrebsOnSecurity and OVH reportedly recorded data volumes far in excess of what has been previously seen in such attacks.

      Reports on the incidents have underlined the fact that the attack volumes were amplified to such high levels by the availability of poorly-secured, Internet-connected devices (eg, webcams or routers) that could be hijacked by the attackers to gain greater firepower.

    • 29 Sep

      MH17 crash journalists targeted by Fancy Bear

      Security researchers published a report detailing their investigations of targeted attacks against journalists covering the downing of Malaysian Airlines Flight MH17, by what is believed to be a missile fired by pro-Russian rebels in the Ukraine. According to the researchers, the attacks on the journalists showed strong similarities to similar attacks carried out by Fancy Bear (also known as Pawn Storm or Sofancy).

      The report also indicated that another group of pro-Russian hackers - identified as CyberBerkut - were also involved in defacement of the journalists' website. Both groups of hackers are thought to have ties to the Russian government, which would have an interest in monitoring the progress of international investigations into the MH17 crash, as many have blamed on Russian-provided missile

    • 4 Aug

      Encrypted messaging service Telegram 'hacked' in Iran

      Security researchers claimed that hackers had compromised over a dozen accounts on the Telegram encrypted messaging service. The attack reportedly involves a complicit phone company intercepting the SMS verification messages sent when a user first registers an account and sharing it with the hacker(s), allowing them subsequent access to the account.

      Telegram has denied the reports, saying that it comprised of 'publicly available' information about whether phone numbers were registered to the service. It also noted the possibility that the 'interception of SMS messages' method highlighted by the report was something which they recommended countering using two-step verification.

    • 10 Aug

      Australia online census hit by DoS attack

      Politicians and bureacrats have been left scrambling after Australia's controversial online census website was briefly disrupted by a denial of service attack.

      News reports covering the census had previously expressed concern about data security and privacy, mainly in relation to how long the website was intended to hold the submitted data. Following the attack however, further questions have been raised about how well the site was designed to sustain a fairly common type of attack.

    • 20 Aug

      Shadow brokers: NSA hacked, exploits exposed

      An anonymous group going by the name Shadow Brokers claim that they have hacked the Equation Group, a team of hackers believed to be tied to the US National Security Agency (NSA). In support of the extraordinary claim, the Shadow Brokers have posted a set of exploits they claim to be used by the Equation Group.

      Security researchers investigating the exploits released have stated that the material appears to be in line with previously published research about the mysterious Equation Group's work.

      Network device manufacturing firms Cisco and Juniper have also confirmed that some of the exploits would also work against specific (and in some cases, older or defunct) network components produced by the companies. 

    • 29 Aug

      FBI: Breaches in electoral database in 2 states

      The US Federal Bureau of Investigation has issued an alert to all election officials to improve the security of their electoral systems, after the confirmed that suspected foreign hackers had breached the voter registration databases of two states. Though the alert did not name the states in question, they are thought to be Arizona and Illinois, which has earlier announced that they had been hacked.

      The alert comes with only two months left to go before the next presidential election.

    • 31 Aug

      SWIFT: More banks hit by attacks since June

      In a private letter to its member banks, SWIFT noted that they were aware of additional attacks being carried out since the spate of bank 'cyber heists' widely reported in the media earlier this year. No specific details were available about the attacks mentioned.

      SWIFT, which manages the self-named critical global financial messaging system, came under heavy fire earlier this year when attacks targeted against member banks - most notably the Bangladesh Bank - successfully transmitted fraudulent instructions to perform funds transfers. It has since been taking steps to push its member banks into improving security, though the efforts are hampered by their lack of enforcement or regulation authority.

    • 14 Jul

      Hackers steals 'millions' from ATMs in Taiwan

      Authorities in Taiwan are investigating how the equivalent of USD2 million in Taiwan dollars was withdrawn from ATMs in the country in the space of a few minutes without the use of bank cards.

      According to reports, video footage of the ATMs showed that several individuals wearing masks made the withdrawals using a "connected device". The ATMs targeted by the attack were apparently infected with malicious programs, which were able to force the machines to directly dispense funds without linking the withdrawals to any customer accounts.

      Police in Taiwan suspect two Russian nationals are involved in the incident. The suspects reportedly left the country immediately after the attack. Coincidentally, the incident occurred while Taiwan was also dealing with the impact of a typhoon.

    • 18 Jul

      WikiLeaks 'under sustained attack' following Turkey emails release

      Whistleblowing website WikiLeaks says it came 'under sustained attack', following its publication of almost 300,000 emails allegedly from Turkey's ruling Justice and Development (AKP) political party.

      The service has since recovered from the attack; in tweets providing updates of the situation, WikiLeaks stated that while they "are unsure of the true origin of the attack. The timing suggests a Turkish state power faction or its allies".

      WikiLeaks subsequently noted that access to its site had been blocked in Turkey, a claim that was later confirmed by the nations' Telecommunications Communications Board.

    • 8 Jun

      Uni of Calgary pays CA$20K ransomware demand

      The University of Calgary reported it had paid 20,000 Canadian dollar's worth of Bitcoins as a ransom in order to restore files that had been encrypted by ransomware on more than a hundred of its computers in the previous month.

      According to reports, the university had elected to pay the ransom demanded as they did not want to "exhaust the option" as a possibility for getting the affected data back. The university is evaluating the decryption keys that were provided following the payment, though reports have stated that there is no guarantee that all affected data would be recovered.

      Local law enforcement authorities were also notified of the incident and are investigating.

    • 13 Jun

      S. Korea: 'N. Korea hacked thousands of computers'

      Seoul's police cyber investigation unit announced that North Korea was thought to be responsible for the hacking of over 140,000 computers in over 160 South Korean companies and government bodies.

      According to news reports, the hacks were noticed in February of this year, following investigations into the theft of defense-related material, but had begun in 2014. During the intrusions, the police said the hackers had also planted malicious code on the compromised machines, "laying groundwork for a massive cyber attack" on the nation.

      Following the discovery, the police reportedly worked with the affected companies to "neutralize the malicious code" .

    • 13 Jun

      Angler exploit kit falls, Neutrino ascends

      Security researchers have noted a recent and precipitous fall in detections for the notorious Angler exploit kit, which had previously been one of the most dominant exploit kits in the threat landscape.

      The last time an exploit kit suffered a similar fate was the collapse of the BlackHole kit after the arrest of Dmitry Fedorov (also known as Paunch), its Russian author. While there has been no confirmation of any similar arrest taking place that would affect Angler, the recen arrest of 50 hackers in Russia for banking fraud using the Lurk trojan has raise speculations about possible links.

      The drop in Angler detections have been accompanied by a rise in detections for the Neutrino exploit kit, which is also now reportedly also spreading ransomware that was previously only handled by Angler. As also happened with BlackHole, once one exploit kit falls, another quickly moves in to take its place.

    • 21 Jun

      Attackers hit Indonesia, S. Korea central banks

      The central banks of Indonesia and South Korea announced that their websites had suffered Distributed Denial of Service (DDoS) attacks, following last month's announcement by the Anonymous hacking collective of the launch of Operation Icarus.

      The collective had stated their intention to target banks around the world, following which the banks of Cyprus and Greece had shortly afterwards reported attacks on their websites.

      In the latest attacks, both banks reported no harm was done. Bank Indonesia noted that it had blocked access to its site from 149 regions that did not normally access it, as a countermeasure against the flood of connections being used to overwhelm the site.

    • 23 Jun

      Necurs botnet ramps up after period of silence

      Following a period of surprising inactivity in the beginning of June, security researchers have noted that the Necurs botnet has resumed operations, heralding its return with the launch of a new spam email campaign to spread Locky ransowmare.

      The unexpected silence earlier it the month have prompted security researchers to speculate that the group operating the botnet had been affected by a recent spate of arrests in Russia, which involved hackers said to be using the Lurk trojan for banking fraud. As no concrete link established between the two events and researchers have few other clues about why the botnet suffered its sudden outage, the incident remains something of a mystery at the moment.

      During the recent period of inactivity for the Necurs botnet, Locky and Dridex ransomware distribution fell precipitously, underscoring the relationship between the botnet and the email campaigns used to spread the ransomware.

    • 15 May

      Vietnam bank attacked after Bangladesh bank heist

      Vietnam's Tien Phong Bank announced that it was the subject of an attempted attack similar to the hack that resulted in the $81million heist at the Bangladesh Bank.

      The announcement follows a letter sent by the Society for Worldwide Interbank Financial Telecommunication consortium (known as SWIFT and responsible for a private network connecting banks around the world) to its member banks that mentioned a second attack had been reported, but did not name the bank.

      The Vietnamese bank reported that the attack it faced had involved about 1.1 million and was stopped before the funds could be taken. The attack did not involve a direct compromise of the SWIFT network, but had targeted a PDF reader in the bank that was used to record money transfers.


    • 3 May

      Iranian Infy cyber espionage campaign reported

      Security researchers reported their discovery of a cyber espionage campaign that had been running for almost a decade. The campaign was attributed to an Iranian hacking group that went after goverment bodies and other 'high-value' targets around the world in that timespan.

      According to reports, the group used a malware, referred to as Infy, to conduct their attacks on government officials, company employees and even private citizens. The malware was reportedly distributed in email file attachments, which when executed would plant the malware on a target's computer. The malware would spy on activity on the affected machine, and steal data that would be forwarded to remote command and control servers, which were reportedly based in Iran.

      Over the many years the Infy malware was in use, its technical capabilities were refined and improved, with the attackers behind the malware taking care to keep their work as low-profile as possible in a bid to remain undetected.

    • 5 May

      Anon's 'Operation Oplcarus' targeting banking industry

      The Anonymous hacking group launched their #OpIcarus campaign against the international banking industry with calls for a wave of Distributed Denial of Service (DDoS) attacks against the websites of major banks and other related institutions.

      In early May, there were reports of a series of DDoS attacks against the sites for the Bank of Greece and the Central Bank of Cyprus. The attacks were reported to last from a few minutes to several hours.

      The Anonymous collective have also released lists of financial institutions to be targeted by their members, which range from major national banks to global bodies such as the International Monetary Fund (IMF).

    • 13 May

      Germany: 'Russia behind Bundestag hack'

      Germany's domestic intelligence agency have publicly attributed the 2015 hack of the country's parliament to a hacker group as known as Sofacy/APT 28 and thought to be working for the Russian government.

      According to reports, the head of Germany's Federal Office for the Protection of the Constitution (known in English as BfV) said that the attack on the Budestag had been for intelligence gathering purposes. The hacking group behind the attack was also said to be attacking other German state organizations.

      Russia has thus far not commented on the accusation.

    • 20 May

      SWIFT attacks: 3rd & 4th attacks reported, links to Sony hack

      A lawsuit filed by Ecuadorian bank Banco del Austro SA against Well Fargo over a 2015 heist that resulted in a loss of over $12 million was the third reported attack to involve the SWIFT banking network.

      A week later, security researchers announced that a fourth bank, this one in the Philippines, also suffered an attack in October 2015 that shared the same hallmarks as the three previous SWIFT-related attacks.

      The researchers also uncovered links to the notorious 2014 Sony Pictures hack, based on similarities in the code of the malware used in both attacks. At the time of the Sony hack incident, the attack had been tentatively attributed to North Korea.

    • 26 May

      SWIFT attacks: 12 more banks being investigated

      Investigators looking into the Bangladesh bank heist have expanded their investigations to search for evidence of possible breaches at 12 more banks tied into the SWIFT payment network.

      According to reports, the banks had themselves approached the investigators, after discovering signs that pointed to possible intrusions. At the time of writing, no funds were said to have been taken from the banks, which are based mainly in Southeast Asia.

      SWIFT, the private network used by the banks to transfer funds, has been under pressure to improve their authentication and security measures, following the recent series of reported attacks.

    • Apr 10

      FBI issues warning over 'CEO scam' phishing emails

      The FBI has issued a warning to businesses in the US about ongoing phishing attacks, in which emails designed to look like they originate from a company's Chief Executive Officer (CEO), or other high-ranking executives, are used to pressure Finance or Human Resource staff into unwittingly transferring funds to the attackers.

      The agency states that it has seen a '270 percent increase' in such attacks, which it describes as 'Business E-Mail Compromise Scams'. They also note that the attackers usually perform extensive research or social engineering on the company employees and processes in order to make the email appear more legitimate.

      According to the FBI, for the period from October 2013 through February 2016, companies who reported being affected by such attacks have seen more than $2.3 billion in losses.

    • Apr 15

      Goznym hybrid malware steal $4M from banks

      Security researchers have reported that a new malware was responsible for stealing a total of 4 million dollars from various banks in the US and Canada in the first few days of April.

      According to the published report, the attackers combined code from the Nymain and Gozi malware families to create a hybrid malware that they named Goznym. The malware is distributed to customers of the banks in emails with either malicious links or file attachments. If the user unwittingly clicks the link or opens the attached file, the malware is installed on their computer, where it waits until the user logs into their online bank account and then monitors the web activity to find and steal the account login credentials.

      The malware appears to mainly, but not exclusively, target business banking and credit unions.

    • Apr 19

      "Phineas Fisher": How I hacked Hacking Team

      The hacker behind the July 2015 breach of the Hacking Team surveillance software company

    • Mar 15

      Bangladesh's central bank loses $80M to cyberheist

      Bangladesh's Central Bank announced that more than $80 million had been siphoned from its account at the Federal Reserve Bank of New York.

      According to news reports, bank officials said that investigations into the incident indicate that hackers had installed malware into the bank's computer systems and monitored the regular day-to-day operations for a period of time before launching their heist.

      The hackers appeared to have stolen the bank's credentials for the SWIFT messaging system, which banks use to secure financial transactions. They then used the credentials to impersonate the bank in order to make a series of withdrawals from its US-based federal reserve account, with some of the transfers going to the Philippines and others sent to Sri Lanka. The withdrawals only came under suspicion when a typo in a transaction directed to a (fake) non-profit organization in Sri Lanka contained a typo that prompted an inquiry to the Bangladesh bank, leading to the heist's discovery. Subsequent transactions were cancelled, leaving the central bank with a loss of 80 million.

      The perpetrators of the attack are currently unknown. The Governor of the bank has resigned in the wake of the incident.

    • Mar 16

      Major sites affected by malvertising pushing ransomware

      Over the first weekend of March, major websites including the New York Times, BBC, AOL and a range of other news and entertainment portals inadvertently displayed advertising content that would redirect unsuspecting users malicious sites hosting exploit kits such as Angler. These kits probe the redirected user's computer for any vulnerabilities, and if found, exploit them to install ransomware onto the machine.

      This type of attack (known as malvertising involved the attackers inserting adds containing malicious hidden code to legitimate online ad networks, which then distribute the content to the client websites. In this attack, the malicious content was being distributed by multiple ad networks, and the buried code targeted bulnerabilities in Microsoft Silverlight, Adobe Flash and other software.

    • Mar 8

      Pawn Storm cyberthreat group targets Turkey

      Security researchers have reported that the cyberespionage group known as Pawn Storm (or variously APT28, Fancy Bear, Sofacy, Sednit, or Strontium) has shifted focus to include several departments in the Turkish government, including the Prime Minister's office, the Director General of Press and Information, the National Assembly and others.

      According to the report, the group uses a variety of social engineering scheme to trick government employees into either revealing their credentials or unwittingly installing malware onto their computers. The attackers then silently install surveillance programs to monitor their targets.

      The Pawn Storm cyberespionage group has been linked to the Russian state, as the targets selected by the attackers have been closely aligned with Russian foreign policy.

    • Mar 23

      Kentucky hospital affected by Locky ransomware

      Methodist Hospital in Henderson, Kentucky, USA announced that some of the computers in its internal network have been locked by the Locky ransomware. In a public statement, the hospital reassured patients that though some files were encrypted, the hospital still had clean, accessible and up-to-date backups, and that patient care remains unaffected.

      According to reports, the hospital noticed the infection after a handful of computers were affected, and shut down all computers as a precaution. The systems were brought back online one at a time, after each was scanned for infection. Operations reverted to processing everything by paper while the systems were being checked.

      The attackers apparently demanded a ransom of 4 Bitcoins in exchange for the decryption key. The hospital has not ruled out paying the ransom, but said it would only do so if absolutely necessary. The incident was reported to the federal authorities and an investigation has been launched.

    • Mar 21

      Bangladesh bank cyberheist investigator 'abducted'

      An investigator looking into the theft of USD80 million from the Bangladesh central bank's foreign reserve account has reportedly disappeared shortly after informing the policd that he "knew three user IDs used for the heist".

      According to news reports, researcher Tanveer Hassan Zoha had expressed concerns to the local media about the cybersecurity protections in use for the bank's computers at the time. He was later bundled into a vehicle and has since not reappeared.

      In related news, the Bangladesh bank called for "technical and human" assistance from the FBI, and has apparently uncovered evidence that the attackers "hail from six different countries".

    • Mar 24

      Report: Water treatment plant, shipping company hacked

      Security researchers at Verizon Enterprise published a report of case studies that included, among other interesting investigations: a shipping company that was hacked by pirates looking to pinpoint only the containers holding the most valuable merchandise on cargo ships; and a water treatment plant that had the chemical treatment of its water tweaked by curious hackers.

      In both cases, the company's internal networks were breached when the attackers were able to find and exploit a vulnerability in a web-accessible portal or application in order to get onto the web server. They then were able to traverse the network undetected until they reached more critical internal systems.

    • Feb 5

      WordPress hacks lead to ransomware

      Security researchers have warned of an ongoing campaign using hacked WordPress sites to redirect users to malicious webpages hosting the Nuclear exploit kit.

      According to the researchers, affected WordPress sites included injected encrypted code at the end of legitimate JavaScript files, which sent first-time visitors to the site through a series of redirects before final exposure to the exploit kit. Redirected users who use out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer may then be infected with ransomware.

      Researchers advised the WordPress site administrators update their software, ensure their administrator passwords are strong and unique, and switch on two-factor authentication if available. Users are urged to update all their installed programs to prevent ransomware infection.

    • Feb 10

      Malvertising via Skype delivers Angler

      Security researchers at F-Secure noted a malicious advertising campaign that saw the popular Skype messaging platform being used (in addition to more traditional, browser-based methods) to direct users to a malicious webpage hosting the Angler exploit kit. Users exposed to the exploit kit may be infected with ransomware.

      This particular campaign ended shortly afterwards; malvertising on a non-browser platform however remains a viable attack vector.

    • Feb 18

      Hospital pays for ransomware decrypt key

      Hollywood Presbyterian Medical Center announced that it had paid USD17,000 to hackers in order to obtain the decryption key needed to restore access to computer files that had been encrypted by ransomware and effectively crippled the hospital's services.

      The attack on the hospital's electronic medical records and other computer systems was first noticed on February 5. Patient care was reportedly not effected, but administrative work was forced to moved back to paper records while investigations were underway.

      Executives eventually decided to pay the ransom in the interest of quickly restoring normal operations. The ransom payment was paid in the Bitcoin digital cryptocurrency.

    • Feb 29

      German hospitals reportedly hit by ransomware

      German news provider Deutsche Welle reported that at least three hospitals in Germany had been affected by ransomware. According to the news reports, the affected hospitals reported the attacks to the authorities, and have refused to pay the ransoms demanded. In the meantime, the staff at affected facilities were forced to resort to paper records, while their computer systems were being investigated and disinfected. No significant medical devices were reportedly affected by the attack, allowing patient care to continue.

    • Jan 26

      Reports say hack caused Ukraine power outage

      The US Department of Homeland Security has issued a report stating that the power outages which affected the Ukrainian Ivano-Frankivsk region were the result of a cyber attack on the country's power network. The report follows earlier published analyses of the incident from various security researchers.

      According to the various reports, remote attackers were able to remotely disconnect the breakers at multiple power substations belonging to at least two major energy providers. Research suggests that the attackers used a known malware, BlackEnergy, to gain access to the company's networks, and moved through that environment until they found the production networks that allowed them to control the breakers.

      News reports have credited this incident as the first hacker-caused power outage. News reports in the Ukraine have publicly pointed to Russia as the culprits behind the attack, though no further evidence has been found to support the claim.

    • Jan 26

      Ransomware hits India banks, pharmaceutical

      The Economic Times has reported that three banks and a pharmaceutical company in India were attacked by hackers recently. According to the report, the attackers were able to infiltrate the companies' network and encrypt saved files; they then demanded a ransom payment (payable in the Bitcoin digital cryptocurrency) in order to restore normal access to the affected data.

      The attackers reportedly used the LeChiffre ransomware to perform the attack. Security researchers at Emisisoft were able to create a free decryption tool for this particular ransomware after discovering flaws in the way the malware encrypts files.


    • Jan 27

      Israel Electricity Authority hit by ransomware

      Israel's Electricity Authority, a goverment department that oversees utility services in the country, was briefly affected by ransomware, leading the department to taking some of its computers offline. Contrary to some media reports of the incident, Israel's power network remained unaffected by the attack, which was confined to the department's internal network.

    • Feb 5

      Hackers try to access millions of Taobao accounts

      Chinese online shopping giant Alibaba announced that hackers had attempted to access millions of accounts associated with its popular Toabao online marketplace.

      According to news reports, the hackers were able to gain a database containing 99 million usernames and passwords used on other websites. They then used Alibaba's own cloud computing platform to input the stolen login details on the Taobao site. Out of all the attempts, about 20 million were successful, indicating that the account holders had reused the same login details on multiple sites.

      According to reports, Alibaba's systems discovered and blocked most of the attempted forced entries; accounts that were compromised were used to create fake orders on the online marketplace. The hackers responsible for the attack have reportedly been caught.


    • 13 Dec

      Popcorn Time ransomware entices victims to infect others

      A new family of ransomware known as Popcorn Time has been discovered that offers an infected user a particularly insidious way of gaining the decryption key needed to retrieve their affected contents - share a link to their friends, and if two are successfully infected and pay up, the key is provided.

      As always with such malware, the most pertinent advice is to ensure that you have clean backups stored in an inaccessible location to avoid needing to pay the ransom.

    • 27 Dec

      Flocker Android ransomware infects smart TV

      Over the Christmas holiday, a smart TV was reportedly infected by a variant of the Flocker ransomware. The infection was possible as the device used Google TV, a smart TV platform that was a joint effort by Google, Intel, Sony and Logitech but was later shelved in 2014.

      According to reports, the infection occurred after relatives downloaded an app promising free movies, which subsequently caused the TV to freeze and then display the ransom demand. The incident was finally resolved after the TV manufacturer LG provided the TV owner with undocumented factory reset instructions.

    • 28 Dec

      Switcher Android trojan changes router DNS settings

      Security researchers announced the discovery of a new Android trojan that attempts to change the DNS settings on a router.

      Dubbed Switcher, when the malware is installed on an Android device, it silently opens the web interface for the connected Wi-Fi router and attempts to brute-force the login credentials with commonly used or default passwords. If it gains access, the malware then changes the router settings to use a DNS server under the attacker's control, which can then subsequently redirect any traffic to unsolicited or malicious sites..

      The two variants of the Switcher malware currently known appear to be targeted to Chinese Android users, as they are designed to look like apps for a Chinese search engine or for sharing Wi-Fi location information (a popular service among business travelers in the country).

    • 16 Nov

      Ransoc extorts users for torrenting, 'child abuse' materials

      A new form of ransomware is using extortion rather than encryption to pressure users into paying the ransom demanded. Dubbed Ransoc, the new malware displays a 'Penalty Notice' (really the ransom demand) if it discovers media files downloaded via torrents on the infected machine. Reports also indicate that the notice is displayed if there is "potential evidence" of child abuse material found on the machine.

      Ransoc also scrapes the user's Skype and social media profiles for personal information, which is then used to personalize the ransom demand by essentially threatening to expose the collected 'evidence' publicly unless payment is made. Also unusual is the fact that Ransoc authors allow use of credit card payments rather than anonymous digital crypto-currency payments.

    • 21 Nov

      Locky ransomware reported spreading in decoy image files

      Security researchers reported that Locky ransomware is being spread over Facebook Messenger and the LinkedIn social media networks in specially-crafted image files.

      According to reports, the spam campaigns being used to distribute the malware involve exploiting a 'misconfiguration' in the social media network's infrastructure to automatically download what appears to be an image file (typically in uncommon file formats such as SVG, JS or HTA) onto the user's device. The image file is in fact the Locky ransomware. After download the user would still need to manually click and launch the image file in order to be infected. In at least some reports, the user would also need to visit a decoy website and download a codec file or browser plugin, for the infection to succeed.

    • 5 Oct

      Malvertising affects Spotify Free service

      Users took to social media to complain about malicious ads being shown on local installations of the Spotify Free service. The ads were automatically opened in the user's browser, and were serving sites with malicious content - mostly adware, fake anti-virus programs and other potentially unwanted applications (PUA). Spotify was able to quickly identify the source of the rogue ads and shut it down.

    • 6 Oct

      Source code of Mirai bot malware released

      Hackers published the source code for the Mirai Internet of Things (IoT) bot malware, which gained recent notoriety for being used in massive Distributed Denial of Service (DDoS) attacks. The Mirai botnet is thought to be at least in part reponsible for the biggest recorded attacks so far - a 620 Gbps wave on popular security researcher Brian Kreb's website and the 1.1 Tbps attack on French hosting firm OVH a few days later

      Thus far, Mirai infectons have involved web-accessible CCTV cameras, and total number of infections are estimated to lie between 120 000 - 1,5 million. With the release of the source code however, there are fears that other malware authors would modify the malware for use on other web-accessible devices.

    • 10 Oct

      DXXD ransomware displays ransom demand before Windows account login

      A new ransomware family named DXXD has been reported using the Windows Legal Notice screen to show a ransom demand before the user logs into their account.

      A security researcher was able to create a decryption tool for the first version of the DXXD ransomware. The malware author subsequently released version 2.0 of the ransomware, which fixed the flaw that had enabled the decryption tool to work.

    • 11 Oct

      Odinaff malware targets machines connected to SWIFT banking network

      Security researchers have discovered more banking malware that specifically targets and infects machines that connect to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) banking network.

      Named Odinaff, the trojan is designed to edit the local logs created on the machines by SWIFT-related software, allowing the attackers to send and then hide fraudulent banking instructions over the network. The researchers suspect the latest malware to be the work of a criminal group.

    • 13 Sep

      GovRAT reportedly targeting gov't bodies

      Security researchers reported the discovery of a updated version of the GovRAT (aka version 2.0) malware being sold online.

      The previous version of GovRAT had been found in Novmber 2015 being used in cyber espionage campaigns targeted at banks and defense contractors. GovRAT version 2.0 has since been updated to include new features, such as customized encryption, keylogging capabilities and remote code execution.

    • 27 Sep

      Fancy Bear hacking group linked to OSX Komplex trojan

      Security researchers have linked the Fancy Bear hacking group (also known as Sofancy or Pawn Storm) to a malware that targets machines in the aerospace industry that use the OS X platform.

      The malware, identified as Komplex, uses social engineering tactics to gain entry to the targeted machine. Once installed, the malware contacts its remote command and control server for instructions and to download additional files onto the affected machine.

    • 27 Sep

      Qadars targets UK banks, Dridex spam runs resume

      A new distribution campaign of a banking-trojan family has been reported targeting banks in the United Kingdom, as well as financial institutions on the continent. The Qadars malware family uses exploit kits, botnets and driveby downloads to install itself onto a devices, then steals banking-related data from the infected victims. It is also capable of monitoring and hijacking text messages sent to a mobile device.

      Meanwhile, spam email campaigns used to distribute the Dridex banking-trojan have resumed after a 4-month absence. The latest run distributes the malware in attachments that are password-protected encrypted Office documents, presumably as a tactic to defeat security programs that are unable to handle file extraction or decryption.

    • 28 Sep

      Ransomware news: MarsJoke, Mamba, Cerber and more

      September saw multiple ransomware families make the news. F-Secure Labs reported that an email spam run which typically distributes Cerber ransomware was found to delivering Locky ransomware instead, marking an unusual conflation between two usually separate malware distribution schemes.

      A new ransomware family named MarsJoke was reported targeting government and educational bodies using emails that appear to be offering cheap flights for government employees; if successfully installed on a machine, the ransomware gives the user 96 hours to pay 0.7 Bitcoins before it permanently encrypts all files on the machine.

      Another new ransomware family named Mamba was also reported that encrypts the entire hard disk, rather than individual files stored on it. The Mamba ransomware was discovered in Brazil, the United States and India. Unlike the Petya ransomware, which also encrypts hard disks, Mamba uses an open-source encryption tool to overwrite the Master Boot Record and subsequently, the hard drive. It then demands a ransom payable in Bitcoins for the decryption key.

      Yet another new family, RAA, was found targeting corporate entities in Russia. Unlike most ransomware, the RAA malware is able to perform offline encryption, rather than needing to fetch an encryption key from its command and control server.

      Finally, the Virlock ransomware family has seen incremental changes to its code that now allows it to infect files as well as encrypting them. Theoretically, this means that a user who runs an infected file that has been shared (for example, via email, or through a network share) would then launch the encryption routine, causing all other files on their machine to be infected and encrypted.

    • 4 Aug

      NanHaiShu cyber espionage trojan reported

      Researchers at F-Secure Labs reported their analysis of a data-stealing trojan that targeted parties involved in the international arbitration case focused on the South China Sea.

      Named NanHaiShu by the researchers, the trojan targeted institutions involved in the dispute between China and the Philippines, which was resolved by an international tribunal earlier this year.

    • 8 Aug

      Project Sauron aka Remsec malware reported

      Security researchers reported their analysis of a sophisticated malware platform that has been active since 2011. The malware, known variously as Project Sauron or Remsec depending on the research group, is thought to have been developed and operated by a nation state, and used to infiltrate and gather data from a wide range of targets.

      Once installed on a targeted computer, the malware essentially gives total control of it to the remote operator, allowing them to track activity and steal data from the affected machine. The published research reports that the malware targeted 30 organizations in various countries, including Russia and Iran, as well as specific individuals.

    • 27 Aug

      Iran: malware found in petrochemical plants

      Iran announced that it found and removed malware from two petrochemical complexes. The announcement follows an investigation into whether recent fires that took place at other petrochemical facilities were caused by cyber attacks, though officials also noted that the malware removed were 'inactive' and not related to the fires.

    • 5 Jul

      Android 'HummingBad' uses root access for clickfraud

      Security researchers reported their discovery of an Android app that gains root privileges in order to display advertisements. In addition, the app can manipulate the way it displays the ads to trick users into clicking on them in order to falsely create advertising revenue, a practice known as 'clickfraud'. Because the app has root privileges, it is also able to silently install additional apps onto the device without the user's knowledge or consent.

      According to reports, the HummingBad app is the product of a Chinese advertising company and is primarily distributed on third-party app stores. The app is also reportedly being distributed as a driveby download, when a compromised website pushes the app when the users visit the website.

      While the clickfraud-related behavior of the app is not new, the fact that the app is able to trick users into granting it root privileges on the devices means that it can, theoretically, be used for more malicious actions than just displaying unsolicited ads.

    • 8 Jul

      Mac Keydnap malware steals passwords, installs backdoor

      Security researchers announced the discovery of a new Mac malware, named Keydnap, that attempts to steal the contents of the Mac OS X keychain, as well as installing a backdoor on the infected system that could be used by remote attackers for further attacks.

      The Keydnap malware has a number of unusual features. According to reports, it is distributed in an executable file that appears to be an image file; when the file is launched, it downloads and installs the backdoor. The malware also uses a component (taken from a publicly available GitHub project) to search for password data stored by OS X's keychain. This sensitive information is then exfiltrated via the Tor anonymizing network to the attacker's command and control (C&C) server. 

      In recent days, security researchers also noted the appearance of another Mac malware, named Eleanor, which also installs a backdoor on an infected Mac machine - though the malware is sophisticated enough to avoid installing the backdoor if the machine is running the Little Snitch security program. 

    • 13 Jul

      Ranscam poses as ransomware, deletes files

      Security researcher reported they have identified a new strain of malware that poses as ransomware to essentially scam users into paying a 'ransom', but deletes files rather than performing the more technically demanding action of encrypting them.

      According to reports, the malware known as Ranscam displays a notification message that appears very similar to messages displayed by crypto-ransomware, and demands payment of a 'ransom', supposedly to restore files that it had encrypted. Unlike actual crypto-ransomware however, the affected files are simply deleted, so that even if users pay the money demanded, the files cannot be restored.

    • 13 Jul

      Locky ransomware spikes after summer slowdown

      Following an unusual slowdown in email spam campaigns distributing Locky ransomware in the first weeks of June, researchers have noted an abrupt pickup in the amount of spam being delivered.

      Researchers at F-Secure Labs reported seeing multiple campaigns being launched, resulting in "more than 120,000 spam hits per hour", or four times the amount of activity seen in the previous week. The emails sent typically included a ZIP file attachment, while the email content is designed to make it appear as though the attachment contained requested invoices or receipts. If a recipient unwittingly opens the attachment, the Locky ransomware is downloaded and executed.

    • 18 Jul

      Neutrino exploit kit updates to use researcher's IE exploit

      Security researchers reported that the notorious Neutrino exploit kit has incorporated a recently published exploit for the CVE-2016-0189 vulnerability in Microsoft's Internet Explorer web browser.

      The exploit code was published by an independent security researcher after Microsoft had released a patch for the vulnerability. According to reports, the researcher was able to reverse-engineer the patch in order to work out how to create code that would exploit the flaw.

      Shortly after the publication of the exploit, researchers noted that the Neutrino exploit kit had been updated to include code that was almost identical. While a patch for the vulnerability is already available, users who have not yet applied the patch remain vulnerable to exploit-based attacks that target the flaw.

    • 1 Jun

      Microsoft warns of 'worm-like' ransomware

      Microsoft's Malware Protection Center reported a new type of ransomware that displays worm-like behavior and targets machines running Windows operating systems below Windows 10.

      Dubbed Ransom:Win32/ZCryptor.A, the malware is distributed via spam email, disguised as fake Flash Player installers, or as part of the payload of other malware. If the malware is unwittingly installed, it encrypts targeted files on the system, then displays a ransom demand.

      Unlike most ransomware, ZCryptor will also save a copy of itself onto any accessible removable drives, potentially gaining new victims if the removable drive is used on another, clean machine.

    • 7 Jun

      Researcher: Qarallax RAT spying on US visa applicants

      Security researchers at F-Secure Labs reported the discovery of a malware, identified as Qarallax RAT, being used to harvest information from applicants for US visas in Switzerland.

      According to the report, the malware is distributed in a file designed to look like information sheets related to the visa application process; the malicious file was distributed via a Skype account using the name 'ustravelidocs-switzerland' (note the 'i'), which is one easily-missed letter away from a legitimate information service. Similar accounts also appear for visa application services intended for applicants from different countries, indicating that the operators of the malware are targeting various nationalities.

      If the unsuspecting user downloads and runs the file, it is able to capture user input from the mouse and keyboard. It is also able to use the webcam to take photos or videos.

    • 14 Jun

      FLocker Android ransomware targeting TVs

      Security researchers reported a new strain of the FLocker Android ransomware that is capable of infecting smart TVs that use the Android operating system.

      According to news reports, the malware will lock the TV screen to display a localized ransom demand that purports to be from a local law enforcement authority (making it a form of 'police-themed' ransomware). The malware then demands a sum in iTunes gift cards in order to release the lock on the screen.

      The malware, which is able to infect smartphones as well as TVs, reportedly avoids infecting devices in certain regions, such as Russia and the Ukraine. On devices that it does infect, it does not encrypt stored files, but may harvest data such as contacts, system information and location.

    • 20 Jun

      Ransomware written entirely in JavaScript found

      Security researchers reported discovering a ransomware written entirely in JavaScript (.js), which allows the malware to immediately encrypt the user's data once the JS file has been downloaded. This contrasts with most ransomware samples, which are distributed as malicious code embedded in a document file, and must download the actual encrypting component before it can effect the user's data.

      The JavaScript ransomware, identified as RAA, opens a decoy document in WordPad in order to distract the user from the malicious activity taking place in the background. In the meantime, the ransomware contacts a remote server to retrieve an encryption key, then encrypts the user's data and displays the ransom demand.

      Also unlike most ransomware, RAA will install another malware - a password stealer (Fareit).

    • 23 Jun

      Ransomware targeting Zimbra email software reported

      Following user reports of a ransomware targeting emails sent via the Zimbra enterprise software, the company has published a blogpost providing more details of the ransomware infections and urging any affected users to contact their Support team for assistance.

      According to reports, the ransomware specifically looks for the Zimbra email message store folder and encrypts all files stored in it, adding the file extension .crypto to each affected file. The ransomware than adds a text file to the machine containing the ransom demand and instructions for paying it. The sum demanded is 3 bitcoins.

      The ransomware is written in Python, and reportedly requires a couple Python dependencies to be installed before the malware can run on a server and affect the files.

    • 24 Jun

      'Godless' Android malware using framework to root devices

      Security researchers reported discovering a family of Android malware that uses multiple rooting exploits, allowing it to work on virtually any device running Android version 5.1 or earlier, which accounts for an estimated 90% of all devices on the operating system.

      Variants in the Godless malware family have been reported available in various app stores, including on the Google Play Store. The variants are either packaged as utility programs or repackaged copies of popular games. Once installed, the malware uses a rooting framework containing multiple exploits, which allow it to gain root privilege on the device.

      Once it has rooted the device, the malware installs another app that automatically downloads and installs apps. It may also inflate the rankings for certain apps on Google Play. The malware is reportedly installed on over 850,000 devices worldwide, most notably in India, Indonesia and Thailand.

    • 5 May

      Locky ransomware network hacked by grey hats

      In two separate incidents, unidentified 'grey hat' hackers were able to breach the command and control network used to distribute Locky ransomware.

      Locky is typically distributed as JavaScript files attached to spam email messages. In the first instance, the hackers replaced the ransomware with coding that simply delivered the message, "Stupid Locky". In the second incident, the malicious file was replaced with a dummy file containing a public service announcement for users who would have unwittingly downloaded and run the actual malicious file.

      According to reports, the hacks of the Locky network would only have affected one or a handful of the control servers used to distribute the ransomware, so other servers in the network would still be serving the actual malicious file.

    • 10 May

      Viking Horde malware reported on Play Store, removed

      Security researchers have reported discovering malware on Google's Play Store that ropes infected Android devices into a botnet, which can be used for advertising fraud, spam distribution and Distributed Denial of Service (DDoS) attacks, among other malicious actions.

      The malware family was dubbed Viking Horde based on the name of the most popular trojanized variant, Viking Jump, though a handful of other similarly-affected apps were found. The apps were reportedly able to perform malicious actions on both rooted and unrooted devices. As the apps gain root access to the device during installation, uninstalling them from a device can be problematic.

      At the time of writing, the apps have been removed from the Play Store.

    • 17 May

      Redirector.Paco click-fraud botnet reported

      Security researchers reported the discovery of a botnet of almost 1 million machines infected with a malware they identify as Redirector.Paco, a trojan that intercepts search queries to major search engines and redirects the unsuspecting users to search results that have been altered by the botnet operators to include ad links that generate payments for the fraudsters.

      The redirection attack (also referred to as 'clickjacking') is used by the botnet operators to abuse the Google AdSense advertising program, which would pay (in good faith) for web traffic to advertisements. Meanwhile, users infected by the trojan may notice a longer loading time for the search results, or other minor telltale signs of the infection.

    • 18 May

      TeslaCrypt shuts down, releases decryption key

      The operators of the TeslaCrypt ransomware have posted a notice announcing the shutdown of their operation. The announcement also said they were 'sorry' for the disruption they had caused, and included the master decryption key used by their malware to encrypt files on victim machines.

      The unexpected move allowed security researchers to create a decryption tool for users affected by the ransomware and unable to make the ransom payment to the now defunct operators.

    • Apr 10

      Decryption tool released for Petya ransomware

      A flaw in the way the Petya crypto-ransomware performs its encryption has been used by security researchers to create a tool that can generate the password used by the malware to decrypt the master boot file, potentially allowing affected users to recover their systems without paying the ransom demand.

      While freely available, the decryption tool requires some technical knowledge to use, though other sources have also published a step-by-step tutorial to provide assistance.

    • Apr 22

      Jigsaw ransomware deletes files for slow payments

      A particularly nasty strain of ransomware has emerged, which deletes files on a victim's computer if the ransom demand is not paid in time, or if the user reboots the computer.

      Known as Jigsaw (a reference to the infamous character from the Saw movie series), the malware threatens to delete files stored on the computer every hour; if the machine is rebooted, the ransomware reportedly deletes 1,000 files.

      Fortunately for affected users, researchers have quickly created a tool to decrypt the files locked by the ransomware without needing to pay the ransom demand.

    • Mar 7

      First Mac OS X ransomware reported

      Security researchers reported the discovery of a copy of the Transmission torrenting software that was tainted with malicious code. The altered program, dubbed KeRanger, runs on Apple's OS X operating system and if installed, functions as ransomware, locking data on the user's machine, and then demanding a ransom of 1 Bitcoin to restore access.

      According to news reports, attackers had managed to compromise the legitimate Transmission website in order to plant the rogue copy of the torrenting software (version 2.90) on it. The substitution was quickly noticed, with file being downloaded about 6,5000 times before the issue was corrected with the 2.92 version.

    • Mar 16

      DRM flaw exploited to install apps on iOS devices

      Security researchers have reported the existence of malware that can be installed on a non-jailbroken iOS device. According to news reports, the researchers found three apps on the official App Store in China that appeared to offer wallpapers but instead steal Apple IDs and passwords.

      Of particular interest was how these apps were installed on the victim devices - the attackers first created what appeared to be a utility program for iOS devices (named Aisi Helper) and distributed this to users via a third-party site. When the helper program was installed on a (Windows) computer and an iOS device connected to it, the attackers could remotely direct the device to download and install the apps from the Store, using an authorization code that was had been previously stolen. The method effectively bypassed normal app digital rights management (DRM) checks.

      Though the existence this attack vector is of technical interest, other news reports have pointed out that it is unlikely to affect any users outside China. In addition, a user would need to have a Windows machine with the malicious helper program installed, and connect an iOS device to it, before they can be compromised.

    • Mar 25

      USB Thief malware targets air-gapped systems

      Security researchers have announced the discovery of malware specifically designed to target computers that do not connect to the Internet (known as 'air-gapped' computers). Dubbed USB Thief, the malware selectively infects USB drives that already hold installers for portable versions of popular programs such as Firefox or Notepadd++. These portable versions run off the USB drive itself without installing any files on a connected computer. The malware then inserts itself into the installations of these programs as a DLL, so that it is also executed each time the programs are run.

      USB Thief is also notable for taking steps to confound attempts to copy it or even examine it in further detail. The malware uses AES encryption and generates the names of its files from specific details of the host USB device so that it can only run on that specific device, making reproduction of the malware on a researcher's test system effectively impossible.

      When successfully installed and run, USB Thief steals data from the victim machine. The data is saved on the USB device and encrypted, leaving no trace of its presence once the USB device is removed.

    • Mar 29

      Petya ransomware encrypts the MBR

      A particularly nasty strain of ransomware known as Petya has been reported targeting companies in Germany. Like most ransomware today, it is delivered by phishing email, which appears to be a legitimate business communication from an applicant for a job opening. The email contains a link to what appears to be a resume on a cloud storage service. If the link is clicked, the file is downloaded and turns out to be an executable program that downloads and executes the Petya ransomware.

      Unlike most of its crypto-ransomware brethren, Petya encrypts the computer's Master Boot Record (MBR), a special section of the computer hard drive that loads (boots) the operating system. When run, the ransomware first causes a system crash by triggering a 'blue screen of death' (BSOD). When the system is restarted, the malware encrypts the MBR, then displays a red screen with its ransom demand. 

    • Feb 8

      'Malware museum' launched

      An archive of old computer malware has been set up by Mikko Hypponen, F-Secure's Chief Research Officer. Containing a selection of malware that date from the 1980s and 1990s, the collection mostly features programs that are "mischievous" in nature, rather than outrightly harmful. All malware in the museum were altered to remove their malicious capabilities.

    • Feb 8

      T9000 malware steals Skype data, avoids security products

      Security researchers at Palo Alto Networks have reported on a malware, dubbed T9000, that can take recordings and screenshots of Skype calls, as well as steal data from the affected system. According to the report, the T9000 malware is distributed in an RTF file; if the user unwittingly opens the file, it launches exploits against the CVE-2012-1856 and CVE-2015-1641 vulnerabilities in various versions of Microsoft Office programs; if the exploit is successful, the malware can install itself on the system.

      Of particular interest to security researchers are the methods the malware uses to avoid detection by security programs. T9000 identifies 24 security products and modifies its own installation mechanism in order to avoid detection by these products.

    • Feb 18

      Enabling macros in Word docs leads to Locky ransomware

      One of the biggest threats to emerge in 2016 so far has been the Locky ransomware. This malware is distributed in a Microsoft Word document that typically claims to be an invoice. If the user opens the document, if macros are enabled in Microsoft Office, the ransomware is able to run immediately and encrypt files stored on the computer. If macros are not enabled (as is the default setting for later versions of Microsoft Office), the document appears to be scrambled and displays a message asking the user to enable macros in order to view it correctly. If the user chooses to do so, the Locky ransomware is again able to run and encrypt files.

      Once the files are encrypted, Locky changes the desktop background to display a ransom note pointing to a location (hidden in the Tor anonymizing network) where the victim can make payment in order to restore access to their affected files.

    • Feb 29

      ATMZombie Trojan strikes Israeli banks

      Security researchers at Kaspersky Labs have reported on a malware, dubbed ATMZombie, that has been targeting banks in Isreal. The malware is reportedly distributed in phishing email messages to the victims and if successfully installed on a machine, can use a number of techniques to steal the victim's online banking credentials.

      Once the credentials are obtains, the criminal gang behind the malware reportedly use 'money mules', or accomplices who provide physical assistance for bank transfers, in order to withdraw money from the victim's account.

      According to the reports, the banks have compensated the victims for their losses, leaving the financial instutions to bear the brunt of the malware's actions.

    • Jan 6

      JavaScript ransomware-as-a-service found

      Researchers have announced the discovery of a JavaScript-based ransomware identified as Ransom32 that leverages on the application development NW.js framework to infect victims. Reports indicate that current Ransom32 variants target Windows systems, but the malware's use of the framework raises concerns that it could also be packaged for other operating systems.

      Ransom32 is sold as a service, offered on a web server hidden by the Tor anonymizing network. The malware itself is delivered in a compressed RAR file that auto-extracts itself, then encrypts files on the affected system.

    • Jan 19

      250 Hyatt hotels affected by POS malware in 2015

      Hyatt Hotels announced that in 2015, 250 of its hotels (almost half of its 627 properties) in over 50 countries had been affected by point-of-sale (POS) malware that stole credit card details, including cardholder names, card numbers, expiration dates and internal verification codes. The chain has not provided a figure for how many customers are likely to have been compromised, but said they were offering a year of credit monitoring to potential data theft victims.

      Given the number of properties affected, Hyatt appears to have been the hotel chain most widely affected by malware, though other chains have also been similarly troubled in recent months, including Trump Hotels, Starwood Hotels and Resorts, and Hilton Hotels.


    • 13 Dec

      0-day flaw in Netgear routers reported

      Netgear announced that routers in their R6400, R7000, and R8000 product series were vulnerable to the VU#582384(CVE-2016-6277) vulnerability that was recently publicly reported. The vulnerability is said to be trivially easy to exploit, as it only requires an attacker to lure the user onto a specially-crafted webpage that abuses the flaw.

      Following the news that exploit code for the vulnerability had been publicly released online, both security researchers and US-CERT have urged users to either disable their router's web server feature or cease using the routers entirely until a fix is published. Netgear in turn has announced that they were working on a firmware update to address the flaw.

    • 16 Dec

      Linux zero-day exploits released

      A security researcher made public an exploit for a zero-day drive-by download against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS. The exploit targets a memory-corruption vulnerability in the GStreamer media framework shipped in many Linux distributions, and requires the user to be lured to a specially crafted webpage.

      This is the second exploit targeting Linux systems to have been released in recent weeks by security researcher Chris Evans, though the previously reported exploit is only effective against much older versions of Linux distributions.

    • 9 Nov

      Google to patch Dirty Cow flaw in Dec Android patch

      Google has released a supplemental patch for the CVE-2016-5195 'Dirty Cow' vulnerability, which affects Linux systems and can also be used to gain root privileges on Android devices.

      The patch for the Pixel and Nexus devices is expected to be followed by a full patch in the December Android Security Bulletin. In the meantime, Samsung has released a patch for the vulnerability in its November update for selected Galaxy devices.

    • 15 Nov

      Major, easily-exploitable flaw in Linux reported

      Security researchers reported a notable vulnerability in the Linux Unified Key Setup-on-disk-format (LUKS) mechanism found in almost all Linux distributions, which could be exploited to allow an attacker to launch a shell with root privileges. The CVE-2016-4484 flaw, which only affects machines that have encrypted system partitions, can be exploited by holding the 'Enter' key down for 70 seconds while the system is booting.

      Instructions for fixing systems to close the flaw have been released by the researchers.

    • 17 Nov

      New iOS Siri lockscreen bypass reported

      Security researchers reported the discovery of a lockscreen bypass attack that affects any iOS device which can receive Facetime or phone calls. The hack, which is demonstrated in videos posted online, involves using Siri to activate the VoiceOver feature on a target phone in the attacker's possession, then hijacking it to gain access to the device's contacts, photos and messages.

      Users can avoid exposure to this attack by disabling Siri on the lockscreen, until an iOS update is released to address the issue.

    • 23 Nov

      Old InPage 0-day used in attacks on Asian banks

      Security researchers reported observing targeted attacks against banks in Asia that leveraged an old zero-day flaw in the InPage word processor, which is popularly used in the region to deal with documents in languages such as Urdu, Persian, Pashto and Arabic.

    • 21 Oct

      Linux flaw being actively targeted, patch released

      Researchers announced that the CVE-2016-5195 flaw in all versions of the Linux operating system is under active exploitation. The flaw was reportedly first identified by Linus Torvalds 11 years ago and can be exploited by a local user to gain more privileges, eventually leading to total control of the system.

      The Linux kernel maintainers have released a patch for the bug (also known as Dirty Cow) and users are urged to patch their systems as soon as possible.

    • 24 Oct

      Drammer attack exploits Rowhammer hardware flaw in Android devices

      Security researchers have confirmed that Android can be successfully compromised using a specially crafted app to exploit a hardware vulnerability present in RAM memory chips in order to gain root privileges. The Drammer attack used by the researchers targets the known Rowhammer flaw to gain unauthorized memory access.

      Google has confirmed that they are releasing a software patch which would mitigate against the Drammer attack, but would not solve the underlying hardware flaw.

    • 27 Oct

      New AtomBombing code injection technique for Windows reported

      Security researchers announced the discovery of a new code injection technique named AtomBombing which could be used to target Windows systems and inject malicious code. 

      Unlike other code injection techniques, AtomBombing does not exploit a vulnerability in the Windows operating system and instead takes advantage of a built-in component in the OS known as atom tables, which stores certain types of data from applications on the system. By injecting code into the tables, the researchers were able to force applications to run the inserted code.

      As the technique uses a normal process in the operating system, it is overlooked by security programs. Researchers have noted the difficulty of separating malicious use of the atom tables from legitimate use, which would make it extremely difficult to create a patch against this technique.

    • 27 Oct

      3 flaws reported in LibTIFF library, 2 patched

      Three vulnerabilities have been reported in the LibTIFF library, which is used to support TIFF image files. The CVE-2016-5652, and CVE-2016-5875 and CVE-2016-8331 flaws could all reportedly lead to remote code execution if successfully exploited. Patches for two of the three vulnerabilities have been released by the LibTIFF CVS repository and users are urged to apply the patches promptly.

    • 27 Oct

      Emergency patch for actively targeted Flash Player flaw

      Adobe has issued an emergency patch for a vulnerability in Flash Player that Google reported was being actively targeted in-the-wild to compromise some users running Windows 7, Windows 8.1, and Windows 10.

      The CVE-2016-7855 bug is patched in version for Windows and Mac users, and for Linux. Users are urged to update their Flash Player installations as soon as possible.

    • 31 Oct

      Google: 0-day flaw in Windows being actively exploited

      Security researchers at Google announced the discovery of a zero-day vulnerability in the Windows operating system, which they say is being actively exploited in-the-wild. The vulnerability, which was reported privately to Microsoft on Oct 21, involved "a local privilege escalation in the Windows kernel that can be used as a security sandbox escape".

      According to reports, the researchers made the announcement in accordance with Google's policy of disclosing vulnerabilities within 7 days if they are under active exploitation. Microsoft has so far not announced a fix for the flaw.

      The disclosure of the Windows vulnerability comes within the same time span as a similar incident involving Flash Player, in which Google privately reported an actively-exploited flaw in the popular media player. In that case, Adobe responded within days with an emergency patch.

    • 13 Sep

      0-day flaw in MySQL reported

      A critical vulnerability was announced in all versions of the popular MySQL database program which, if successfully exploited, could allow remote code execution. The CVE-2016-6662 flaw also affects software linked to MySQL, such as MariaDB and PerconaDB.

      According to the researcher who discovered the flaw, he had privately reported the vulnerability to Oracle, but decided to publicly announce its existence (together with a limited proof-of-concept exploit) when the vendor failed to properly patch the flaw within 40 days of reporting. The other affected vendors have issued patches for their own products.

    • 21 Sep

      Tesla issues patch for remote hack flaw

      Tesla quickly released a patch for the flaw that allowed a team of security researchers to remotely hack into and control one of its Model S cars.

      In a video demonstration of the hack, the researchers were able to control the car's brakes, and open its boot, among other actions. The attack involved connecting the car to a malicious WiFi hotspot and then attacking an electronic control unit to gain access to the internal systems.

      While the attack has been characterized as 'low-risk', Tesla has been commended for its prompt action in investigating and fixing the vulnerability

    • 23 Sep

      Drupal releases update to patch 3 flaws, 2 critical

      Drupal announced the release of an update for its content management system to address three reported flaws, two of which are rated critical. The first critical flaw involves a cross-site scripting flaw in HTTP exceptions, while the second would allow a full config report to be downloaded without permission.

      The vulnerabilities, collectively identified as SA-CORE-2016-004, affect versions 8.x, with the fixes for them being released in version 8.1.10.

    • 27 Sep

      iOS 10 backup flaw reported

      Apple confirmed news reports that a security flaw in the way iOS 10 handles locally stored encrypted backup files allows them to be cracked far more easily than on previous versions of the popular mobile platform. The tech giant has also confirmed that they are working on a fix for the issue.

    • 11 Aug

      Volkswagen keyless entry systems exposed to remote hack

      Security researchers reported their discovery of a flaw in the keyless entry systems used on certain vehicles that could allow a nearby attacker to eavesdrop and clone the 'key' being transmitted when the lock/unlock buttons on a key fob are pressed.

      According to the security researchers, some models of Audi, Volkwagen, Seat and Skoda vehicles that have been produced since 1995 would be exposed to an attack targeting the flaw, which requires only readily-available equipment to execute. News reports have estimated that the number of cars that could be exposed to the attack number in the millions.

    • 16 Aug

      Researchers: Android inherited Linux 'traffic hijacking' flaw

      Security researchers have concluded that a flaw in the Linux operating system that was reported earlier this year would also affect Android devices, as the popular mobile operating system uses code that is based on Linux.

      The side channel vulnerability (CVE-2016-5696), which was reportedly introduced in the 4.4 (KitKat) version of Android, could allow an attacker to hijack Internet traffic in order to snoop on the transmitted communications. The flaw has since remained present in all subsequent OS versions.

      While attacks targeting the flaw are thought to be 'impractical' for mass deployment, it is considered at least 'feasible' for more targeted attacks. The flaw has been patched in the Linux kernel, but is still in the process of being addressed on the Android platform.

    • 9 Jun

      'High severity' vuln in Chrome PDF Reader reported

      Securty researchers reported discovering a vulnerability in the built-in PDF reader used by the Chrome web browser that could be exploited by an attacker to run arbitrary code on the user's system.

      The flaw (CVE-2016-1681) in the PDFium reader used by Chrome can be triggered if the user unwittingly opens a specially-crafted PDF document containing a malicious image, which would trigger a heap buffer overflow.

      Google has since fixed the flaw in the 51.0.2704.63 version of the browser; as Chrome automatically updates to the latest version by default, most users will already be using the version with the fix. If the Chrome browser is set to prevent auto-updating, the user will need to manually update it to receive the latest fixed version.

    • 15 Jun

       Flash Player zero-day vuln actively targeted, patch now

      Adobe has released an update that fixes 36 security issues for their popular Flash Player program, including a fix for the CVE-2016-4171 zero-day flaw being attacked to install malware on user's computers.

      Users are urged to update their Flash Player to the latest version as soon as possible.

    • 21 Jun

      Apple keep mum on patched Airport router flaw

      Apple released a patch for the CVE-2015-7029 flaw reported in its Apple AirPort router, which if successfully exploited could allow an attacker to remotely execute code on the affected device.

      While the release of the fix is welcome news for an issue that was reported nine months ago, few other details about the vulnerability have been released by the company other than that it involves a DNS parsing flaw. Commentary from security researchers on the update have speculated about how the router could be exploited. Apple AirPort users are urged to update the firmware of their device with the security patch.

    • 21 Jun

      Libarchive flaws reported, new version released

      The Libarchive library (a popular programming library used in many archiving tools, file browsers and other utility programs) has released a new version to address a number of reported vulnerabilities.

      The new version fixes the CVE-2016-4300, CVE-2016-4301 and CVE-2016-4302 vulnerabilities reported by security researchers, each of which could allow arbitrary code execution if successfully exploited.

      While the Libarchive version 3.2.1 closes these flaws, software developers who have used the library in their products will still need to update their products to use the latest version.

    • 3 May

      ImageMagick flaw affects websites, patch now

      A vulnerability has been reported in the popular ImageMagick software used by websites to process images, which can be easily exploited using specially-crafted image files.

      The image processing software is used on many websites and content managing systems to resize and edit images uploaded by users. The CVE-2016-3714 vulnerability, if exploited, would allow an attacker to force the web server to execute remote code.

      According to reports, the vulnerability is being actively attacked in-the-wild. Mitigation measures and at least partial patches have been made available by ImageMagick developers, though security researchers have noted that the patches are "incomplete".

    • 6 May

      Android Qualcomm chip API bug reported

      Security researchers announced the discovery of a flaw in Android devices using certain chips that could, if successfully exploited, allow a malicious app to steal data from the affected device.

      The issue only affects Android handsets that use chips manufacturered by Qualcommm. The flaw, identified as CVE-2016-2060, is found in the APIs used to communicate between the chip and the device's operating system. According to reports, a vulnerability in the API could be silently exploited by specially crafted apps to access many of the device's settings without raising suspicions in the user. At the time of writing, there have been no reports of an attack targeting the flaw.

      Qualcomm was notified of the flaw and a fix was created before the news was announced. Due to the complex nature of device patching in the Android ecosystem however, which involves multiple manufacturers and models, users would need to check with their device manufacturer to verify when - or if - their device will be receiving the patch.

    • 3 May

      OpenSSL project releases update to patch multiple flaws

      The OpenSSL project has released updates for various versions of its software that address a number of security flaws, includiing two (CVE-2016-2108 and CVE-2016-2107) that are considered "high" severity.

      OpenSSL is critical software used by countless organizations to secure their online communications. Prior to the release of the new versions, the OpenSSL project made a relatively low-key announcement informing its users that an update would be provided within a few days, but offerred no further details to stave off possible attacks before the update was released.

    • 11 May

      Companies with unpatched SAP flaw still vulnerable

      Security researchers reported that a vulnerability in SAP software that was fixed in 2010 was still unpatched in numerous companies surveyed in 2016, leaving them vulnerable to an attack that could allow attackers to gain complete control of the affected organization's business applications.

      Following the initial report, the US-CERT issued an advisory highlighting the security implications of leaving the bug unpatched. Subsequently, a second report was published that noted over 500 companies were still vulnerable to the issues, rather than the dozens found in the original study.

    • 12 May

      Adobe patches zero-day flaw under active attack

      Adobe has released patches for 25 vulnerabilities in its popular Flash Player software, including for the critical CVE-2016-4117 flaw which is already being actively exploited in-the-wild.

      According to security researchers, attackers targeted the CVE-2016-4117 vulnerability using exploit code embedded in a Microsoft Office document. Victims are either emailed the file directly as an email attachment, or are given a link to download it. Once the file is opened and the exploit run, the system could crash and subsequently allow the attacker to take control of the system.

      Soon after the release of the patch, the exploit for the CVE-2016-4117 vulnerability was found included in major exploit kits. Users are strongly recommended to update their Flash Player installations with the latest patches.

    • 12 May

      7-Zip tool releases 16.00 version to fix 2 flaws

      7-Zip announced the release of the 16.00 version of their product, which addresses a couple of serious vulnerabilities (CVE-2016-2334 and CVE-2016-2335) related to improper data input validation.

      The flaws in the popular archiver tool were privately reported by security researchers from Cisco's Talos group. As the tool is used by numerous utilities and business applications, the announcement of the flaws has had a knock-on effect, with software developers checking to determine if their own products are affected.

      As older versions of the 7-Zip tool still have the flaws, users are strongly recommended to update to the latest version.

    • Apr 6

      Apple squashes Siri 'lockscreen bypass' bug

      Apple has quickly fixed a bug in its Siri voice search program that could allow an attacker to bypass the lockscreen on certain iOS models, allowing access to the device's contacts or photos.

      First demoed in a YouTube video, the flaw is only exploitable on an iPhone 6 or 6S Plus, as it relies on being able to access the 3D Touch menu. The bug was promptly fixed by the company in two days without needing to push an update to users (Siri is server-based, so changes only needed to be made to the servers). Users are now prompted to first unlock the device before Siri will complete a action from the lockscreen.

    • Apr 7

      MagnitudeEK targets 0-day Flash Player flaw

      Exploit code for a zero-day vulnerability in the Flash Player program was found being used by the popular Magnitude exploit kit, prompting Adobe to release an emergency update to address the flaw.

      The vulnerability, identified as CVE-2016-1019, affects Flash Player versions and earlier. If successfully exploited, the vulnerability could allow remote code execution. A security advisory was published on 5th April with advise on mitigation measures, while a full update was released later on 7th April.

    • Apr 14

      Badlock flaw underwhelms; patches released

      Following the month-long hype leading up to the release of information about the vulnerability known as Badlock (CVE-2016-0128), security researchers were largely underwhelmed once the full details were finally made public.

      The Badlock flaw, which affects Windows servers running Samba software, could potentially allow man-in-the-middle (MitM) or denial-of-service attacks. Both Samba and Microsoft have released advisories that address the issue, and have urged users to install the latest updates in a timely manner.

      Despite the potential impact of a successful attack against the Badlock vulnerability, there have been disagreements in the security research community about whether the flaw warranted as much attention as it gained, particularly because exploitation would require an attacker to already be inside the targeted local network. Microsoft rated the vulnerability as 'important', rather than the highest ranked 'critical'.

    • Apr 19

      Apple: QuickTime not supported, flaws won't be patched

      Tech giant Apple has confirmed that it is no longer supporting its QuickTime media player. The confirmation follows an announcement from the Zero-Day Initiative of two vulnerabilities, ZDI-16-241 and ZDI-16-242, found in QuickTime for Windows.

      News of the vulnerabilities had prompted a recommendation from the US Department of Homeland Security urging users to uninstall the program from their computers, as Apple was apparently no longer developing the product and had stopped issuing security updates.

      Apple's abrupt announcement took a number of vendors by surprise, including Adobe, whose Creative Cloud products use QuickTime as an integral part of their software suite. Users who are not dependant on the player for business or productivity are urged to proactively uninstall it from their machines to remove a potential entry point for attackers.

    • Mar 1

      DROWN attack flaw in TLS protocol announced

      A team of security researchers have announced the existence of a flaw in the popular TLS secure communication protocol that could be used by attackers to break the encryption that underpins it and allow them to read and steal data being transmitted using the protocol. The attack scenario was given the media-friendly name Drown, for "Decrypting RSA with Obsolete and Weakened eNcryption".

      An attack would involve exploiting a vulnerability (CVE-2016-0800) in the old, retired SSL v2 protocol (which is supported by TLS) to decrypt TLS sessions, and would be effective against any server that uses TLS and still supports the obsolete SSLv2.

      A partial patch was included for the flaw at the time of the announcement. OpenSSL has also released a security advisory addressing the issue.

    • Mar 18

      Researcher urges users, admin to update flawed git clients, severs

      A security researcher has urged users and system administrators who use the Git repository service to update their clients and servers in order to patch two vulnerabilities, CVE-2016-2324 and CVE-2016-2315.

      The flaws, which were discovered by the same researcher, are present in versions below 2.8.0. If successfully exploited, the vulnerabilities could allow attackers to execute code on affected servers or clients.

      The vulnerabilities were reported to GitHub in November 2015 as part of its bug bounty program, and was awarded 5,200 points under their scheme.

    • Mar 24

      Faulty patch for 2013 Java flaw left users vulnerable

      A patch for the CVE-2013-5838 flaw in Java, which was discovered in and patched in October 2013, was recently discovered to be faulty and easily bypassed. The issue was discovered this year by the same security researchers who had found the original vulnerability. The researchers also noted that the vulnerability had been "improperly evaluated" by Oracle in terms of its security impact.

      Oracle has since issued an emergency patch for the vulnerability.

    • Mar 21

      Flaw in iMessage encryption reported

      Researchers at John Hopkins University have reported a flaw in Apple's iMessage service. The researchers were able to intercept encrypted messages trasmitted between an device and Apple's servers by setting up a server that emulated the legitimate ones.

      As the messages were encrypted with relatively weak 64-bit encryption and there was no limit on how many attempts could be made to decrypt them, the researchers were able to brute-force decrypt the captured messages.

      Apple has since announced that the flaw will be fixed in the iOS 9.3 update.

    • Mar 21

      Study: 24 car models open to keyless entry hack

      Researchers in Germany have demonstrated that it is possible to amplify the signal from a car's key fob - the device that provides keyless entry to most modern cars - so that it can unlock the car at a greater distance. According to news reports, as many as 24 car models, from multiple manufacturers including BMW, Ford and Toyota, were vulnerable.

      The attack involves two hackers using specially crafted radios; one radio gathers the signals from a targeted car's key fob and relays it to the second radio, which is used by the second attacker to open the car's doors (and in some cases, start the engine). The attackers would need to be within several meters of the target to be able to gather the signals.

    • Feb 17

      Linux Glibc 'mega-bug' reported

      A critical bug has been reported in the GNU C Library (glibc) component found in many Linux applications and devices. Researchers at Google and Red Hat, who reported the discovery and worked together to deliver a patch for the issue, have warned that the bug could be remotely exploit to allow an attacker to take total control of a vulnerable system, particularly in devices that are connected to the Internet.

      Administrators of affected devices or programs are urged to apply the patch as soon as possible.

    • Feb 19

      AV products reported vulnerable to attack

      Google security researcher Tavis Ormandy has published research in recent months documenting flaws in popular commercial security programs that leave them vulnerable to attack, and publicly urging the software vendors to address the issues. As part of Google's Project Zero, the companies are privately informed of the research and given 90 days to fix them before the researchers make their findings public.

      Recent reports have uncovered issues with products from Trend Micro, Comodo and MalwareBytes. In each case, the flaws were fixed within days of their report or public disclosure. MalwareBytes also subsequently launched a bug bounty program to encourage responsible disclosure of vulnerabilities in their products.

    • Feb 24

      Nissan Leaf car 'hackable'

      Security researchers have announced that the NissanConnectEV phone app, which connects to the Nissan Leaf electric car and allows its owner to control the vehicle's heating and cooling, can also be hacked by a remote attacker. According to the researchers, as no user authentication is required when an app transmits a command to Nissan's servers and onwards to the car, an attacker who is able to identify the car's vehicle identification number (VIN) can also send commands to the car as through they are the owner.

      At least one news report covering the research highlighted the fact that control of the car's heating/cooling system may have a measurable impact on its fuel consumption. The original research acknowledges that remote control of the affected system does not otherwise affect driving controls of the vehicle.

    • 24 Feb

      Angler exploit kit exploit Microsoft Silverlight

      Security researcher have noted that the notorious Angler exploit kit has been updated to include exploit code for the CVE-2016-0034 vulnerability in Microsoft's Silverlight media viewing application. The vulnerability, which was patched in the previous month's regular Patch Tuesday update, could allow remote attackers to hijack a vulnerable system if the user is logged in as an administrator. Silverlight vulnerabilities have been relatively rare, especially in comparison to flaws in its popular rival Adobe Flash Player, making the inclusion of this exploit in a major exploit kit a notable development.


    • 1 Dec

      'Avalanche' malware network dismantled

      A global collaborative effort by over 40 law enforcement agencies around the world, as well as private sector partners, succeeded in dismantling the network of highly secured servers known as Avalanche, which were used by online criminals to distribute malware and organize money mule operations, among other criminal activities.

      The recent effort was the culmination of an investigation that began four years ago, and resulted in 5 individuals arrested, 37 premises searched, 39 servers seized, over 220 servers taken offline through abuse notifications sent to hosting providers and over 800,000 domains seized, blocked or sinkholed.

    • 12 Dec

      Global sting targets 'DDoS for hire' services users

      In a joint collaborative effort, the FBI, Europol and law enforcement authorities in multiple countries have arrested 38 individuals for purchasing 'DDoS for hire' services, as well as interviewing 100 other associated individuals.

      According to news reports, many of those arrested in what was dubbed Operation Tarpit were young, in some cases under 20 years old.

    • 27 Dec

      US: Police request Amazon Echo data in murder case

      US police have served a warrant to Amazon for data from an Amazon Echo unit that was found streaming music at a November 2015 murder scene, in hope that the voice-activated unit might have captured audio clips that could help in the investigation.

      The Amazon Echo unit monitors audio recorded by a microphone in order to pick up audio cues that act as commands for the unit. While in normal use, such audio cues are routinely deleted from the cloud servers where they are processed, in some cases they may be forensically recoverable from the devices themselves. While Amazon has reportedly refused to release a history of voice recordings associated with the device, they have declined to give any further specific details about the case.

    • 11 Sep

      vDos 'cyberattack' operators arrested

      A popular 'paid attack platform' was disrupted after Israeli police arrested two teenagers thought to be the operators behind a service that was essentially a 'Distributed Denial of Service (DDoS) for hire' operation.

      The arrest was in connection to an investigation by the US Federal Bureau of Investigations (FBI). The incident was also highlighted by the popular cybersecurity researcher Brian Krebs, and may have been the instigation for a massive DDoS attack that hit the researcher's website days after the duo were released on bail and placed under house arrest.

    • 13 Sep

      NY: toy firms fined for tracking kids online

      The New York Attorney General's office issued fines to several prominent toy companies in a crackdown on websites that track the browsing behavior of children under 13, in violation of the Children's Online Privacy Protection Act (COPPA).

      The COPPA requires websites to request parental permission before collecting personal information from Internet users under the age of 13, as well as limiting marketing to such an audience. The investigation by the Attorney-General's office found that though Viacom, Mattel, JumpStart, and Hasbro did not intentionally design their websites to violate federal law, they included third-party advertising on the sites, which performed persistent tracking in order to serve targeted ads.

      In response, the four companies agreed to pay a combined total of USD835,000 in fines, as well as modify their websites and arrangements with third-party advertisers to stay in line with federal guidelines.

    • 27 Sep

      IS supporter who gathered US military 'kill list' jailed 20 years

      Kosovan hacker Ardit Ferizi was sentenced to 20 years in prison by the United States for hacking into the databases of a company hosting sensitive data on US military personnel in order to compile a list of over 1,300 customers with a .mil or .gov address. The compiled data was then forwarded to a contact in the IS terrorist organization for use as a 'kill list'.

    • 26 Sep

      Trump Hotels fined for data security failure

      Trump Hotel Collection, the hotel chain owned by US presidential candidate Donald Trump, has been fined by .

      According to reports Roman Seleznev had hacked into and infected the Point of Sale (PoS) systems at various stores and restaurants in the United States in order to gather the details from credit cards swiped in the affected machines. At the time of his arrest, Seleznev reportedly had more than 1.7 million card numbers on his laptop, most of them from businesses located in western Washington state.

    • 28 Sep

      US: Guilty pleas in iCloud hacker and Syrian Electronic Army cases

      A US federal jury found Roman Seleznev, the son of Russian Parliament Member Valery Seleznev, guilty of stealing millions of credit card numbers and selling them online to cyber criminals.

      According to reports Roman Seleznev had hacked into and infected the Point of Sale (PoS) systems at various stores and restaurants in the United States in order to gather the details from credit cards swiped in the affected machines. At the time of his arrest, Seleznev reportedly had more than 1.7 million card numbers on his laptop, most of them from businesses located in western Washington state.

    • 23 Aug

      Ashley Madison violated privacy laws, say watchdogs

      The Office of the Privacy Commissioner of Canada reported that Avid Life Media, the parent company of dating service Ashley Madison, had inadequate privacy and data security measures in place at the time of their hack in mid-2015. The inadequate protections left the company in violation of privacy laws in Canada.

      Following the leak of personal details from millions of Ashley Madison user accounts last year, Canada (and Australia) had launched investigations into the data breach, with the company agreeing to comply with recommendations made based on the investigations. News report indicate that company is required to complete a review by the end of this year of the protections it has implemented to protect private user information.

    • 23 Aug

      US: Woman jailed for 'attempting to spy' for China

      The US sentenced Wenxia Man, a US citizen, to 50 months in prison for attempting to provide classified military data and equipment to China.

      Man, who was born in China and emigrated to the US, was caught during a sting operation by the US Department of Homeland Security, following a tipoff that she had attempted to buy and export military equipment (notably, parts of the engines used in fighter jets). Over a period spanning from 2011 to 2013, Man had reportedly attempted to purchase and provide the equipment and related data to a contact she believed to be working with the Chinese government.

    • 25 Aug

      US: Russian MP's son convicted of credit card theft and fraud

      A US federal jury found Roman Seleznev, the son of Russian Parliament Member Valery Seleznev, guilty of stealing millions of credit card numbers and selling them online to cyber criminals.

      According to reports Roman Seleznev had hacked into and infected the Point of Sale (PoS) systems at various stores and restaurants in the United States in order to gather the details from credit cards swiped in the affected machines. At the time of his arrest, Seleznev reportedly had more than 1.7 million card numbers on his laptop, most of them from businesses located in western Washington state.

    • 5 Jul

      FBI: 'Charges not warranted over Clinton's email mishandling'

      The US Federal Bureau of Investigations (FBI) announced that former Secretary of State Hillary Clinton's use of a private email server while dealing with sensitive State Department communications did not warrant the pressing of criminal charges.

      The FBI's investigation was prompted by allegations that the former state official had mishandled the confidential correspondence, in disregard of strict guidelines that dictate how such material is meant to be handled.

      While the FBI did not recommend formal charges against the officials and support staff responsible for setting up and using the email server, the agency did publicly castigate the behavior of those involved as "extremely careless".

    • 15 Jul

      US jails Chinese hacker 4 years for fighter jet data theft

      Chinese businessman Su Bin has been sentenced to almost 4 years in jail by the United States for collaborating with hackers to steal data from US defense companies between 2008 and 2014.

      According to reports, the businessman had provided information to the hackers about the best personnel to target for their attacks, as well as what files to steal and the significance of the information they contained. The files reportedly contained details of military jets and transport vehicles.

      China has denied reports that the hackers who worked with the businessman were involved in the Chinese military.

    • 19 Jul

      Brazil: Whatsapp blocked again, then unblocked - over encryption

      Whatsapp endured yet another temporary shutdown in Brazil in July, after a judge ordered the service blocked for 'failing to provide information' that would assist an investigation. Following the court order, Whatsapp filed an injunction to lift the block, which was subsequently granted by the country's Supreme Court.

      Whatsapp has been under pressure in the country in recent months in relation to the encryption used on the messages transmitted by its app. According to the company, they are unable to comply with requests for assistance as the encryption is designed to prevent even their own staff from being able to view the messages being sent.

      This was the fourth time the service had been temporarily blocked by a court order in the last year.

       In the same month, another court also froze 19.5 million brazilian reals (approx. USD6 million) in the account of Whatsapp's parent company, Facebook, over failure to hand over data demanded by federal police in relation to an international drugs investigation.


    • 22 Jul

      Torrent site founder arrested in Poland, faces charges in US

      Popular file-sharing site Kickass Torrents was briefly downed after Ukrainian Artem Vaulin, its alleged founder, was arrested in Poland. In the days after the arrest, the site has reportedly been revived, with proxy sites also cropping up.

      US prosecutors are said to be preparing to extradite him to the United States, as well as filing charges for one count of conspiracy to commit criminal copyright infringement, one count of conspiracy to commit money laundering, and two counts of criminal copyright infringement.

      According to reports, federal investigators were able to trace the founder after they noted the use of a particular online name, which eventually linked to an Apple email account and Facebook account. Both tech firms provided the investigators with information from the accounts of interest in compliance with a search warrant.

    • 1 Jun

      Russia: 50 hackers arrested for Lurk trojan bank fraud

      Russia's Federal Security Service (usually identified by its Russian acronym, FSB) have arrrested 50 individuals suspected of being part of a cyber criminal group responsible for stealing over 3 billion rubles (or 45 million dollars) from financial institutes in Russia over the course of five years.

      According to reports, the arrests were the biggest ever operation conducted in Russia against a cyber criminal group. The hackers infected users by compromising popular sites and silently installing the Lurk banking-trojan on the machines of site visitors. Once the malware was installed, it gathered banking credentials and forwarded the details to the hackers, who were then able to use them to steal money from the compromised bank accounts.

      The Lurk trojan, which has been mostly used to target banking institutions in Russia and Eastern Europe, is considered particularly difficult to detect as it runs in-memory. The group also reportedly used compromised VPN connections to hide their trail, making detection harder. The FSB's investigation into the group were assisted by Kaspersky Labs, who provided technical details of the group's operations, and the Russian Interior Ministry, which prevented the  group from moving some of its ill-gotten gains.

    • 15 Jun

      Hacker pleads guilty to stealing data on US military personnel

      Kosovo citizen Ardit Ferizi pleaded guilty in a US court for stealing the personal information of over 1,300 US military personnel, with the intention of passing the data onto the so-called Islamic State (IS).

      According to reports, Ferizi had gained the information by hacking into the server of a retail store and stealing their customer data. He then filtered the data for details identifying military members and compiled the information into a document, which was then forwarded to a hacker tied to the extremist group.

      Ferizi was arrested by the Malaysian police and extradited to the states, where he was charged with providing material support to terrorism as well as for hacking.

    • 16 Jun

      Facebook 'Spam King' jailed 30 months for spamming

      Sanford Wallace has been sentenced to 30 months in jail for using 500,000 compromised Facebook accounts to send over 27 million spam messages through the social network's server between 2008 and 2009.

      To gather the contacts needed for the spam operation, Wallace had reportedly used fake websites with links that when clicked, would steal the friends lists from Facebook users' accounts. A script would then send spam messages to all contacts on the lists.

      This is the third time Wallace has been sued for spam-related offences. On a previous occasion, a lawsuit brought against him by Facebook had lead to a ban on logging into his Facebook account, which he disobeyed as well. Wallace will also be required to undergo a psychiatric evaluation, and is forbidden from owning or using a computer without court approval for the duration of a five-year probation period following his jail term.

    • 4 May

      Gozi trojan mastermind sentenced

      Nikita Kuzmin, the Russian hacker who pleaded guilty to developing and distributing the Gozi malware, was sentenced in New York to 37 months in prison, and a file for just under $7 million.

      The Gozi trojan created by the hacker had been used to steal tens of thousands of bank account details and other sensitive information from infected machines, which were then used to steal funds from the compromised accounts. In addition, the malware was sold to other hackers, in a 'malware-as-a-service' scheme.

      According to reports, the hacker was able to escape a harsher sentence after providing 'substantial assistance' to federal prosecutors, leading to the Department of Justice requesting that the judge provide a more lenient sentence. As a result, Kuzmin's jail time was limited to the period that he had already served.

    • 17 May

      Hacker that 'gamed' stock market pleads guilty

      Ukranian hacker Vadym Iermolovych pleaded guilty to charges of hacking into corporate press release distribution services in order to steal information and conduct insider trading.

      According to news reports, the hacker stole unpublished copies of press releases filed with news networks, such as Marketwired and PR Newswire. The information was then used to make trades on the stock market, essentially 'gaming' the system to gain millions of dollars in profit.

      Iermolovych is the first person to be criminally charged in the case; ten other defendants also face criminal charges over involvement in the scheme.

    • Apr 7

      Researchers take down Linux Mumblehard botnet

      A joint effort by security researchers at ESET, the CyS Centrum LLC and the Cyber Police of Ukraine has shut down the main command and control (C&C) server of the Mumblehard botnet.

      First described in April 2015, the botnet had been used by a cybercriminal group to send out massive quantities of spam. The botnet was also notable for being made up of thousands of infected Linux machines, rather than the more commonly targeted Windows machines.

      Following the takedown of the C&C server, the researchers and authorities have been contacting administrators of infected machines to prompt them to disinfect their systems and harden their defenses to prevent a recurrence.

    • Apr 13

      Journalist jailed 2 yrs for aiding Anonymous news site vandalism

      A journalist convicted in October 2015 under the Computer Fraud and Abuse Act has been sentenced to 2 years in jail in the United States for providing assistance to the Anonymous group that allowed them to deface a news website.

      Matthew Keys was convicted of sharing the login credentials for the content management system of the LA Times' website with the hacktivist group. The credentials were subsequently used by a hacker (with the pseudonym Sharpie) to digitally vandalize an article on the site.

    • Apr 14

      Blackhole author jailed 7 years in Russia for online bank thefts

      Seven hackers were convicted and sentenced in Moscow of stealing from online bank accounts. Among the defendants was Dmitry 'Paunch' Fedotov, best known for being the author of the infamous Blackhole exploit kit. The malware delivery toolkit was one of the most active threats online just a few short years ago, though it was quickly usurped by other similar products after Paunch was arrested in 2013.

      The Blackhole exploit kit was used to perpetrate a range of cybercrimes, most notably the theft of online banking credentials, which were subsequently used to steal money from the compromised online bank acocunts. While estimates of the amount of monetary damage attributable to use of the exploit kit varies wildly, most estimates are in the region of tens of millions of dollars.

    • Mar 3

      Turkish ATM skimming gang leader pleads guilty

      The ringleader of a cybertheft gang who was accused of running a hacking and ATM fraud operation has pleaded guilty in a US court.

      According to news reports, Ercan Findikoglu was one of the main perpetrators of a series of hacks targeting credit card and payment processing companies. The attacks involved stealing data about credit and debit cards, in particular the PINs associated with the cards, which were then passed on to associates who would make fraudulent ATM withdrawals. The operation was able to withdraw almost USD50 million over a period of two years (2011 to 2013), with withdrawals being done in multiple countries.

      Findikoglu was finally apprehended in Germany in 2013, then extradited to the US.

    • Mar 7

      Romanian 'Guccifer' hacker to be extradited to US

      The Romanian hacker Marcel Lehel Lazar is due to be extradited to the United States on charges of breaking into the email and social media accounts of US government officials, as well as those belonging to relatives of former US president George Bush.

      Referred to in his 2014 indictment as 'Guccifer' - the name used when passing documents and pictures stolen from hacked accounts to the media - Lazar was already a convicted hacker at the time, having received a three-year suspended prison sentence in 2012 for attacking the email accounts of Romanian celebrities.

    • Mar 15

      'Celebgate' hacker pleads guilty

      The man behind the 'Celebgate' hacks, in which photos and videos were stolen from over 100 hacked email accounts, including some belonging to celebrities, has pleaded guilty to the charges.

      According to news reports, Ryan Collins had sent emails pretending to be from Apple or Google to the account holders requesting their login credentials; the stolen passwords were then used to log into the accounts and search for compromising photos and videos. This finding countered rumours circulating at the time that the hacks had been due to a flaw in Apple's iCloud service.

    • Mar 21

      Ex US State Dep employee sentenced for 'sextortion'

      A former employee of the US State Department has been sentenced to 57 months in prison after being found guilty of a widespread phishing, hacking and cyberstalking scheme that affected hundreds of victims.

      Michael Ford pleaded guilty to stealing account login credentials via phishing scams, then using them to access the accounts to search for incriminating material such as sexually explicit photos. He then used the content as blackmail material to force his victims, preferentially young females, to provide personal information, and other compromising images or videos.

    • Mar 23

      US charges Iranians for hacks of companies, dam

      The US Department of Justice has revealed charges against seven Iranians for a series of hacks targeting US-based financial companies, as well as the Bowman Damn in New York state.

      The hacks, which reportedly took place from 2011 to 2013 and were said to have cost the targeted companies "tens of millions of dollars", are also notable for being directly linked to the Iranian government.

    • Jan 8

      Europol: ATM malware gang arrested

      Eight alleged members of a cybercriminal gang have been arrested in Romania and Moldovia. According to news reports, the operation (coordinated with assistance from Europol) targeted individuals suspected of using Tyupkin malware to attack and empty ATMs across Europe.

    • Jan 12

      Turkey: 334 years for data theft hacker

      A hacker in Turkey has received a record sentence of 334 years for engaging in data theft. The 26-year old Onur Kopçak had been charged for stealing credit card details using phishing banking sites, as well as selling the stolen data to other criminals. Prior to this, the longest sentence for hacking-related activities was the 20 years handed down by a United States court to Albert Gonzalez for the TJX data breach.

    • Jan 13

      Europol: Bitcoin extortion gang DD4BC arrested

      A coordinated international operation between law enforcement authorities in Europe, the UK and the US saw the arrests of two suspects linked to a hacking group that extorted Bitcoins from companies. The group, known as DD4BC, reportedly used the threat of launching crippling Distributed Denial of Service (DDoS) attacks against targeted companies to pressure them into paying.

Product Security

    • 6 Dec

      Google patches 'Dirty Cow' Linux / Android flaw

      The latest Android security patch fixes 50 security issues on the popular mobile platform, 11 of them deemed critical. The latest update also patches the CVE-2016-5195 'Dirty Cow' vulnerability, which was reportedly being actively exploited in-the-wild. If successfully exploited, the Dirty Cow flaw could allow attackers to gain root privileges on the affected device.

      The same update also saw a patch for the CVE-2016-4794 flaw, which could also be targeted by attackers to gain root privileges.

    • 9 Dec

      Yahoo! Mail cross-site scripting flaw fixed

      A security researcher responsibly disclosed a cross-site scripting flaw in the Yahoo! webmail service which could have allowed hackers to access and compromise a user's account. The attack involved malicious JavaScript embedded in the body of an email, and would only have required the user to view the booby-trapped email to launch the attack - no clicking a link or opening an attachment needed.

      This is the second time in 2016 that researcher Jouko Pynnönen found and reported a cross-site scripting flaw in the tech giant's webmail service, having done just that at the beginning of the year. For each effort, the researcher was awarded $10,000 under the company's bug bounty program.

    • 14 Dec

      Filmmakers, journalists call for encrypted cameras

      150 filmmakers and photojournalists have sent an open letter to multiple camera manufacturers, including Nikon and Canon and Olympus, to produce encrypted cameras, as a protective measure against repressive governments, criminals and other entities seeking to seize their materials.

      The call for encryption of camera contents comes at a time when data protection is an increasing consumer concern, following revelations of widespread government monitoring of their own citizens as well as increasingly organized online crime.

    • 15 Dec

      Joomla zero-day flaws patched

      Joomla released its 3.6.5 security update to addresses three vulnerabilities, including CVE-2016-9838 which was categorized as high severity. An attacker can take advantage of this particular vulnerability to modify existing user accounts, reset username and passwords, as well as user group assignments, which may provide them access to admin accounts.

    • 21 Dec

      Netgear releases router firmware update

      Netgear released a firmware update to address the recently reported CVE-2016-6277 vulnerability affecting multiple routers in its product lines.

      Netgear router users are urged to check if their devices are included in the list of vulnerable equipment and if so, to update their router's firmware as soon as possible.

    • 8 Nov

      Google to tag recently unblocked sites as 'Repeat Offenders' for 30 days

      Google announced that it would tag websites that have only just been unblocked by its Safe Browsing service as 'Repeat Offenders', a label intended to alert users to sites with a history of malicious behavior. Webmasters of sites tagged with the label will not be able to request a review of the rating for 30 days, as a countermeasure against attempts to game the security verification system.

      The label is not intended for use on sites that were hacked or compromised, but on sites that deliberately post malicious content.

    • 16 Nov

      Whatsapp encrypts video calls

      Popular messaging app Whatsapp announced that it was adding encryption to its video-chatting functionality. The change, which is expected to be rolled out to all 180 countries where the service is available, is expected to provide over 1 billion users with a secure communication method in a era when government eavesdropping is a growing concern.

    • 22 Nov

      Qualcom, US Army launch bug bounty programs

      The US Army launched its biggest bug bountry program, with a call for independent security researchers to report issues with its 'digital recruitment architecture'. The invite-only program focuses on both recruitment sites and databases holding information on prospective and current military personnel.

      In the same month, noted manufacturer Qualcomm announced the launch of a bug bounty program for vulnerabilities in its hardware, in particular its popular Snapdragon processors. According to reports, researchers who have previously approached the company with vulnerability-related research will be invited first to join the program, before it is opened to a wider audience.

    • 11 Oct

      Microsoft: 'monthly rollup' model for Patch Tuesday updates

      Microsoft issued its regular Patch Tuesday release using the new 'monthly rollup' model, an all-or-nothing update that remove administrator's abilities to pick and choose the updates they want to apply to their systems. The model has raised concerns over the difficulties it may cause administrators who may be unable to implement the entire update due to technical conflicts with any aspect of it.

      Included in the October update were patches for five zero-day vulnerabilities in Windows, Internet Explorer, Edge and Office.

    • 25 Oct

      Apple: releases iOS 10.1 version, patches JPEG image file flaw

      Apple released the 10.1 update for its popular iOS operating system. Included in the latest version are a number of patches for vulnerabilities, most critically for the CVE-2016-4673 vulnerability that could allow a booby-trapped JPEG image file to perform arbitrary code execution.

    • 27 Oct

      Microsoft: Office 2013 gets 'anti-macro malware' feature

      Microsoft announced that it had ported the popular 'anti-macro malware' feature from its Office 2016 product to the earlier 2013 version following numerous customer requests.

      The feature blocks macro scripts in Office documents that try to download content from outside the company network, and is widely seen as a useful proactive measure against booby-trapped documents sent out via spam or phishing emails. While not entirely foolproof against malicious macro scripts, the feature is still considered a helpful security measure.

    • 27 Oct

      US: DMCA exemptions now allow legal hacking of own car, smart tv

      A new exemption the to Digital Millenium Copyright Act (DMCA) has gone into effect, allowing Americans the right to perform security research on the devices they own - for example, cars or smart televisions, which previously had copyright protections in place that made such hacking attempts illegal.

      The exemptions are currently limited to a two-year trial period, and the hacking is also required to meet certain conditions ("good-faith testing") to avoid causing harm to individuals or the public. The exemptions are however expected to encourage researchers in examining and finding vulnerabilities in device software that could ultimately improve the product and consumer confidence in them.

    • 9 Sep

      OS X patch released for Trident 0-day flaws

      Apple released a patch for its OS X operating system that closes the three security flaws uncovered during a recent investigation into an attempted targeted attack on a political dissident in the Middle East.

      Referred to as 'Trident', the flaws were originally reported in Apple's iOS mobile platform, and were swiftly patched on that OS. Users are urged to install the patches at their earliest convenience.

    • 10 Sep

      Android update fixes two flaws, cleans up Play Store

      Google announced an update to the Android mobile platform that patches two security vulnerabilities, one of which was described as being similar to the the Stagefright exploit that was the last major security issue to bedevil the operating system. Much like the previous flaw, the latest vulnerability could be exploited using a specially crafted image file. The latest update also removes malware that had been reported in the Play Store.

      Users are urged to install the update, if their devices are in line to receive it from their manufacturers.

    • 27 Sep

      Microsoft's Edge browser to be contained in VM

      Microsoft announced that an upcoming version of its web browser would be contained in a virtual machine (VM) as a proactive measure against malware that is delivered through the browser, for example via driveby downloads or exploit kits.

      The Windows Defender Application Guard, as it is currently known, is slated to be available in 2017 and at least in its first release, only for Windows 10 enterprise customers.

    • 4 Aug

      Apple, Panasonic launch bug bounty programs

      Apple has announced it will be launching an invite-only bug bountry program in September. The cautious announcement is seen as a welcome, if long-awaited move from a company that has historically been doubtful about the value of such programs.

      At the same time, consumer technology giant Panasonic also announced that it will be launching a bug bounty program, this one with a focus on avionics, particularly the in-flight entertainment systems developed by the company.

    • 10 Aug

      Microsoft accidentally leaks Secure Boot 'golden keys'

      Microsoft sufferred an embarrassing leak this month when researchers announced that the company had accidentally publicly exposed a 'backdoor' (also referred to by the researchers as 'golden keys') or a way to digitally bypass the Secure Boot security component used in Windows devices to ensure that only authorized software is run on the device.

      According to reports, an attacker with either adminstrator rights or physical access to a Windows device could use the bypass mechanism to load any desired operating system on it. An attacker would also be able to install malware such as rootkits or backdoors, allowing them total control of the device.

      The researchers who discovered the exposed bypass mechanism had claimed they reported the vulnerability privately to Microsoft, who subsequently issued the MS16-094 and MS16-100 patches to address the issue. Both patches have however been criticized as 'inadequate', with a third updated expected in September to completely fix the problem.

    • 25 Aug

      Apple emergency patch for iOS flaws exposed in hack attempt

      iOS users have been urged to update their operating systems to take an emergency patch into use, after news broke of a spyware tool in-the-wild that was capable of exploiting three previously unknown iOS vulnerabilities (CVE-2016-4655, CVE-2016-4656 and CVE-2016-4657).

      Security researchers have dubbed the iOS-specific exploit code as 'Trident', and were alerted to its existence after a human rights activist in the United Arab Emirates contacted them about a suspicious SMS message he had received with a suspect URL (though he wisely refrained from clicking on the link) The researchers discovered that the link led to a spyware package known as Pegasus which would have used the Trident code to infect and monitor the activist's mobile device.

      The Pegasus spyware package is reportedly the work of a secretive Israeli technology company known as NSO, which is thought to be associated with state-backed monitoring efforts.

    • 6 Jul

      Microsoft: guidance for Group Policy issue caused by Jun update

      Microsoft released a guidance this month related to the Group Policy issue that had been caused by a security update published in June, which had caused much consternation and ire among system administrators who suddenly found that their existing user environments had been thoroughly disrupted.

      The June MS16-072 bulletin had included a patch changed the way Group Policy was implemented in order to prevent a man-in-the-middle attack between computers and the domain server. This change resulted in unexpected knock-on effects to other environmental aspects that were also controlled by the Policy.

      The issued guidance provides options for fixing the affected Policies.

    • 8 Jul

      Facebook adds opt-in encryption for Messenger

      Social media giant Facebook announced that it would be adding an opt-in feature in its Messenger app that would allow 'Secret Conversations'.

      The new feature would use end-to-end encryption, meaning that the messages sent over the app would only be readable by the sender and the recipient. With the encryption enabled, even Facebook itself would be unable to decrypt the messages, if they were ordered to do so by a government warrant.

      Unlike on the rival app WhatsApp, Messenger users must actively enable the 'Secret Conversations' feature to use it. The addition of a more secure mode of communication is however likely to increase the frustrations of law enforcement officials around the world, who are already grappling with ways to access encrypted data in their investigations.

    • 12 Jul

      Chrysler to offer bug bounty for private reports

      Fiat Chrysler has announced what is considered to be the first bug bounty program by a mainstream American automotive manufacturer that provides a financial payout to independent researchers who privately report issues with their products.

      The announcement follows the establishment of vulnerability reward programs by Tesla and GM, and is generally seen as a welcome move in an industry that has had difficulty acknowledging and addressing the issues created as vehicles become more technologically connected.

    • 13 Jul

      Pokemon Go to remove full access to Google account

      The developers of the phenomenally popular Pokemon Go app have said that that the full access their app has to an iOS user's Google account is an error, and that they are working on a fix for the issue.

      Following the release and skyrocketing popularity of the 'augmented reality' game, security researchers noted that the app is granted full access to a user's Google account when installed on an iOS device, a privilege normally provided to trusted apps rather than gaming apps. With full access, the app developers would be able to see extensive user information such as browser history, calendar entries, photos and so on.

      According to reports, Google verified that the game did not in fact access anything other than basic information such as the Google profile details. Nevertheless, the developers have said that they will be removing the full access in an upcoming fix. In the meantime, multiple news sources have provided instructions for manually revoking the access as a temporary measure.

    • 25 Jul

      Europol, security firms set up anti-ransomware tools service

      Europol, national European police forces and a group of IT security firms announced that they have partnered on the No More Ransom project in a collaborative effort to assist users in the region who have been affected by ransomware.

      The collaborative effort is intended to allow victims and police to connect via a website that also provides advice on data recovery, as well as decryption tools created by the security firms to address specific ransomware families.

    • 3 June

      Facebook bins in-app chats, pushes users to Messenger app

      Facebook has confirmed that it is moving forward with a push to remove native messaging in the mobile version of its website, and will be pushing user to use its Messenger app for that purpose. With the move, the Messages box in the website interface will direct the user automatically to the Messenger app, if it is installed, or a prompt if it is not.

      The move from native messaging to the separate Messenger app already took place in 2014 for users of the iOS and Android versions of the Facebook app, but the mobile version of the site had until now maintained its native messaging functionality. This last standout however will also be removed, with Facebook displaying a prompt urging users to install the Messenger app as the only remaining option if they want to continue being able to chat via the social network service.

      Facebook has said that the move to the Messenger app allows them to offer 'the best experience possible' for users, as the app provides more features and functions. News coverage of the move has so far been more mixed, with many questioning the necessity for such a move.

    • 6 Jun

      Researchers remotely disable Mitsubishi Outlander hybrid alarm

      Security researchers announced that they were able to remotely disable the alarm system on Mitsubishi's Outlander hybrid model, as well as lock and unlock its doors, by exploiting a flaw in the automobile's onboard Wi-Fi network.

      The Outlander hybrid provides an onbaord Wi-Fi network for its passengers, allowing connectivity that is limited to the vicinity of the car. An associated app is also available, that allows users to control some functions in the vehicle. Researchers were however able to intercept transmissions between the app user and the vehicle in order to remotely flash the car lights, unlock the doors and disable the alarm system.

      Mitsubishi was notified of the flaw in the system and is said to be investigating the issue. The company has reportedly urged owners to deactivate their onboard Wi-Fi while the investigation is underway, until new firmware can be released to address the issue.

    • 14 Jun

      Safari browser to insist Flash Player 'is not installed'

      The upcoming version 10 of Apple's Safari web browser will move to using HTML5 by default, essentially deprecating the use of Flash Player, QuickTIme, Java and Silverlight to render content.

      Websites being loaded by the browser will not be able to identify that the user has Flash, or other non-HTML5 plugins, installed on their browser, essentially forcing them to display HTML5 content if available. on sites that do not offer a HTML5 option, users will be shown a message allowing them to enable Flash temporarily, or permanently for the single site. 

      The change in browser behavior is attributed to improving performance, power efficiency and security. The move away from Flash Player also falls in line with advice from security researchers to lower use of the program, which has become a popular target for attackers.

    • 15 Jun

      Microsoft MS16-072 patch breaks Group Policy

      Microsoft has acknowledged that its June 2016 MS16-072 patch has caused problems with the Group Policy settings on some machines, ranging from Windows 7 to Windows 10.

      After applying the patch, some users have reported that previously-hidden drives are now accessible, while others noted that shared drives have now become inaccessible.

      Some reports have indicated that uninstalling the patch remedied the current situation, but left them still vulnerable to the CVE-2016-3223 flaw which the patch was meant to address. Microsoft has not yet provided details of any upcoming changes to the patch that would address the reported issue.

    • 21 Jun

      Google 2FA to allow prompts instead of passnumber entry

      Google's current two-factor authentication (2FA) approach now includes a feature that allows users to change from using a passcode to simply responding to a prompt.

      Like most 2FA models, Google currently requires uses to manually entering a passcode (provided either by an SMS message sent to a mobile device, or generated by the Authenticator app) to verify the their authenticity. Users may however opt to simplify the process further by changing to use of a 'Yes/No' prompt, which is generated on the associated mobile device whenever the user wants to log into a 2FA-enabled account.

      iOS and Android implementations of the new feature differ slightly, though one requirement both platforms have in common is that the user must have a lockscreen enabled before the prompt feature can be used. Security researchers recommend that users enable 2FA on any services that provide it as a security option.

    • 22 June

      Apple: 'IOS 10 beta kernel intentionally unencrypted'

      Apple has confirmed that the operating system kernel in the iOS 10 betas made publicly available at the WWDC conference this month were intentionally left unencrypted.

      The move by the usually secretive company took security researchers by surprise, as previous versions of the OS kernel were kept encrypted. Apple has however explicitly stated that the condition of the kernel was deliberate, in order to "optimize the operating system's performance without compromising security", most likely by allowing greater scrutiny of the system by independent security researchers looking for vulnerabilities and other flaws. User data remains encrypted in order to ensure privacy.

    • 5 May

      Microsoft to 'untrust' websites using SHA-1 certs

      Microsoft has announced accelerated plans to deprecate support for TLS certificates signed by the SHA-1 hashing algorithm.

      The software giant announced that websites using such certificates will be considered untrusted on their web browsers (Edge and Internet Explorer) starting in summer 2016. Websites that do not update their certificates will be blocked outright starting in February 2017, one month earlier than previously scheduled.

      The plans to deprecate SHA-1 signed certificates were based on research indicating that the encryption provided by the cryptographic algorithm was getting increasingly easier to break.

    • 3 May

      Google security update fixes 40 Android flaws

      Google released its May 2016 Security Update, which includes fixes for 40 vulnerabilities, including 6 critically-rated flaws.

      Of the critically-rated vulnerabilities, two of them (CVE-2016-2428 and CVE-2016-2429) would allow remote code execution if successfully exploited, while the others would allow either an elevation of privilege or code execution in the context of the kernel.

      While there have been no reports of active attacks against any of the vulnerabilities fixed, users are urged to apply the security update as and when it becomes available for their Android device.

    • 16 May

      Google to phase out support for Flash Player in Chrome

      Google announced that it will be removing support for the Adobe Flash Player in its Chrome web browser by end 2016. Instead, the browser will default to using the alternate HTML5 technology.

      The software will still be enabled by default on 10 selected websites, including Amazon, Facebook and YouTube, but will be disabled by default on all others - users would need to manually enable Flash on the website before it runs.

      While Flash has been popular with users for many years for viewing multimedia content, it has also been a favorite target of attackers for vulnerability exploitation. Its popularity as an infection vector has lead to numerous security researchers recommending that users disable Flash when not in use, or removing it entirely unless or until needed.

    • 20 May

      May bug bounty payouts and launches

      Popular adult website Pornhub announced the launch of their own bug bounty program, in conjunction with the popular HackerOne vulnerability reporting platform. In its present incarnation, the program excludes malvertising attacks, which have troubled the website in the past but are due to weaknesses in the advertising stucture rather than the site itself.

      In the same month, Google released a patch for 5 vulnerabilities in its popular Chrome web browser. Under their bug bounty program, the security researchers who found the bugs also received payouts totally $20,000.

      Finally, in May 2016 Facebook paid a $10,000 reward under its bug bounty program to a 10-year-old user who reported a vulnerability in Instagram, which the social media giant also owns. If successfully exploited, the vulnerability (which has since been fixed) could have allowed a user to delete comments on any account.

    • 24 May

      SWIFT to improve security after multiple attacks

      The CEO of embattle financial communication network SWIFT has announced a 5-part plan to improve security after its service became the focus of a series of high-profile attacks in the last few weeks.

      Following the spectacular $81 million dollar heist from the Bangladesh Bank in April, as well as reported attacks on other similar bodies, SWIFT had been coming under sustained pressure from its member banks, as well as the general public, to do more to improve its security.

      In addition to the improvement plans from SWIFT itself, various countries have ordered their national banks to launch audits of their information security practices, in a bit to secure their own financial systems and increase consumer confidence in the institutions.

    • 25 May

      Microsoft moves to tighten password security

      Microsoft announced the addition of a new "Dynamically Banned Passwords" feature which is designed to prevent users from choosing a password that has been included on a blacklist of banned passwords. The feature would allow administrators to add commonly passwords (for example, those exposed in data breaches or in the media) to the blacklist, ensuring users would need to create a password that is not already compromised.

      The feature is currently available on its Account Service platform, which is used to log into services such as Xbox Live, and is also slated to be included in the Azure Active Directory (AD) for enterprise customers.

      The announcement follows the recent LinkedIn data leak, which saw credentials for over 117 million accounts compromised.

    • Apr 11

      WordPress enables default SSL encryption for hosted sites

      WordPress announced that they will be enabling SSL encryption by default for all custom domains hosted on The move to add encryption to the hosted sites is intended to improve security, with minimal disruption to the site administrators.

      Hosted sites will be provided with certificates from the Let's Encrypt project, and the rollout should be automatic, requiring no action from the site administrators.

    • Apr 24

      Whatsapp and Viber enable end-to-end encryption

      Popular messaging program Whatsapp made a surprise announcement that it had successfully rolled out end-to-end encryption by default for all its estimated 1 billion users.

      Simply put, end-to-end encryption means that all messages, phone calls, photos and videos transmitted from sender to recipient(s) via the app can no longer be read by others during transmission, not even Whatsapp employees.

      Whatsapp's surprise move comes in the wake of a major battle between the FBI and Apple over demands that the tech giant provide assistance in unlocking an encrypted iPhone. Though heralded by privacy-conscious users and civil advocates, the company's unexpected action is likely to rile numerous governments who have already expressed concerns about the conflict between law enforcement and encryption.

      Shortly after Whatsapp enabled end-to-end encryption, rival messaging app Viver also announced they would be adding end-to-end encryption as a well.

    • Mar 7

      Amazon removes, reinstates FireOS encryption

      Online retail giant Amazon came in for criticism over a recent update to its Fire operating system that removed disk encryption "because customers weren't using" it. The dropped feature had involved encrypting data stored on a device running the Fire OS, and meant that users would have to enter a password in order to view the data.

      Following a backlash from its device users, who demanded that the feature be reinstated, Amazon reversed its stance and has since announced that disk encryption will be restored in an upcoming update.

    • Mar 22

      Google releases emergency patch for critical kernel flaw

      Google has released an emergency patch for the critical CVE-2015-1805 vulnerability affecting all Android devices running Linux kernel versions below 3.18. If successfully exploited, the flaw could allow remote attackers to execute malicious code and essentially take over the device's functions.

      The number of devices affected by the flaw is thought to number in the millions. Google officials noted that they had discovered at least one app in the official Play Store that was able to exploit the vulnerability, and the company has already updated its Verify Apps security feature to prevent the installation of software that would trigger the flaw.

    • Mar 22

      Google makes BinDiff file comparison tool available for free

      Google has removed the USD200 price tag from its popular binary comparison BinDiff tool. No available for free, the program allows users to compare related binary files and is a popular tool with security researchers for reverse engineering code.

      The move has been applauded by the security research community for making it easier for both amateur and professional researchers to engage in analysis work.

    • Mar 23

      Uber launches bug bounty program

      Ride-sharing app Uber has launched a bug bounty program for its software, in partnership with the vulnerability reporting portal HackerOne.

      In addition to the usual cash rewards for reported flaws, the scheme also includes a loyalty program for researchers who report five or more vulnerabilities in the first 90 days, increasing their potential payout.

      Uber also created a 'treasure map' of the various architectures used by the company, and the kinds of flaws they are particularly interested in. At the moment, only the company's apps (and not cars associated with it) are within the scope of the program.

    • Mar 23

      Microsoft Office 2016 adds macro-blocking feature

      Following the resurgence of macro malware in recent years, Microsoft has introduced a new feature in Office 2016 that allows administrators to prevent macros in document files downloaded from the Internet from running entirely. The new feature is an extension of previous Group Policy rules that displayed a warning notification if users attempted to enable macros in a document, but still allowed them to proceed if they clicked 'Enable macros' on the notification.

      In recent years, a surge of malware-embedded Office document files that trick users into clicking and enabling macros (and thus allowing the malware to run) have underlined the fact that most users can be lead into disregarding the warnings against exactly this behavior.

    • Feb 25

      Nissan disable Leaf's 'hackable' app

      Vehicle manufacturer Nissan has apologized and temporarily disabled the NissanConnectEV app, after security researchers publicly disclosed that the service was accessible to unauthorized users, potentially allowing remote attackers to control a vehicle's heating or cooling system. The company further disclosed that its eNV200 electric vans were also vulnerable. According to a public statement, Nissan expects to launch updated versions of the app "very soon".

    • Feb 5

      Dell intros cloud-based BIOS check

      Computer manufacturer Dell has introduced a cloud-based way of checking a PC's BIOS to ensure the machine is free from malware before it starts up.

      Malware that infects a machine's BIOS is rare, but is usually difficult to detect and eradicate because the BIOS executes before the operating sytem and other installed programs (including security products) have a change to run. Dell's BIOS verification measure moves the security check to the cloud and involves comparing the BIOS image to an official hash stored on Dell's servers.

      The check does not stop the machine from booting up as normal and instead, sends a notice to the administrators for further action.

    • Feb 16

      Instagram to roll out two-factor authentication

      Popular photo-sharing service Instagram said that it will be adding two-factor authentication (2FA) as an optional additional security measure. Users who choose to adopt 2FA would be asked to enter a passcode that is sent by the service to a selected device each time they log in, making it much harder for a hacker to gain access to an account without having both the login credentials and the device.

      Details of the 2FA feature's availability to most users have not yet been published, as Instagram is reportedly rolling it out "slowly".


Items listed in the Calendar were reported in various technology news portals, security research publications, law enforcement sites, major newspapers and our own F-Secure Weblog.

See our Threat Reports for previous editions of the Incidents Calendar.