XcodeGhost continues to haunt users of the iOS App Store

One of the big malware stories of the last few days has been the discovery that legitimate developers had uploaded apps to Apple’s App Store, without realising that their code had been compromised.

The malicious code, known as XcodeGhost, managed to insert itself into the developers’ apps via a circuitous route.

> Read More

Tell us how to infect an iPhone remotely, and we’ll give you $1,000,000 USD

If there’s something which is in high demand from both the common internet criminals and intelligence agencies around the world, it’s a way of easily infecting the iPhones and iPads of individuals.

The proof that there is high demand for a way to remotely and reliably exploit iOS devices, in order to install malware that can spy upon communications and snoop upon a user’s whereabouts,

> Read More

Online extortionists reset Android PINs, take data on virtual drives hostage

In the last few years extortion has hit computer users, big time.

Consumers and businesses alike are finding themselves locked out of their computers, or prevented from accessing their valuable data, by ransomware attacks that demand a payment be made to online criminals.

But normally when these malicious attacks are described,

> Read More

Secure Alternatives to Android

In my previous post I discussed the flurry of Android vulnerabilities which have come to light over the last year or so. TowelRoot, Fake ID, Android Installer Hijacking, Stagefright, and Certifi-gate have been publicly announced. Some of them have been around in Android for years. Creating patches for your Android devices is a long complex path,

> Read More

Do Android Flaws Have You Looking for Alternatives?

Android security flaws have become more frequent in the news lately. At least one of them, Stagefright, has been quite severe. The worst part is now that these vulnerabilities have publicly disclosed, everyone including cybercriminals are aware of them. The details needed to compromise devices have been published by every level of media,

> Read More

PayPal XSS flaw could have let hackers steal your unencrypted credit card details

A cross-site scripting (XSS) flaw on PayPal’s website could have been used by hackers to phish for your login credentials, and even steal your unencrypted card details.

But thankfully the vulnerability was found by a responsible researcher, who informed PayPal about the problem and helped the web’s most popular payment service from being embarrassed by a massive security gaffe.

> Read More

Sysadmins who fail to change default configurations, leave petabytes of data at risk

Here’s a very important lesson for system administrators and developers who don’t want data to fall into the wrong hands: change the default settings, or risk leaving your organisation’s servers open to access by unauthorised, external parties.

A study by researchers at Swiss security firm BinaryEdge has scanned the internet on various ports,

> Read More

How to Own an Oil Well in 30 Minutes

Industrial Programmable Logic Controllers (PLCs) are devices used to control key manufacturing and infrastructure systems around the world. A PLC is a fully customizable device which can take just about any data in, perform any combination of logical operations on it, and create an almost unlimited number of output scenarios. They’re common on manufacturing lines to control production machinery.

> Read More

Patch! Patch! Patch! What Security Pros Know that Your Barber Doesn’t

[Originally published in the Spiceworks IT Community.]

A Google security research paper was recently published on the best safety practices that hundreds of security experts recommend. This paper outlines the results of two surveys — one with 231 security experts, and another with 294 web-users who aren’t security experts — in which both groups were asked what they do to stay safe online.

> Read More

Five years after Stuxnet, your USB drive is still being patched

Yesterday was Patch Tuesday, and – as Optimal Security’s Russ Ernst described – Microsoft released fixes for a smorgasbord of vulnerabilities.

Obviously, it’s important that you roll out the patches as soon as possible, and ensure that your computers and networks are protected against threats which malicious hackers could use to target your systems,

> Read More

Patch Tuesday Still Alive and Well – And Offering Something for Everyone

Despite the launch of Windows 10 and all the talk about mandatory updates, today is still Patch Tuesday. And this month, everyone should pay attention. Microsoft shared avulnerability smorgasbord today – offering a little something for everyone. From office and browser applications to desktops and servers, Microsoft covered them all with 14 bulletins.

> Read More

The Pwnie Awards – 2015 Edition

On August 5th Black Hat participants gathered at the Mandalay Bay for the 2015 annual presentation of The Pwnie Awards. The Pwnie Awards began in 2007 and have honored the most magnificent achievements and failures of the information security industry ever since. The winners aren’t [yet] posted on the official pwnies website.

> Read More