Skip to content

Author: Alex Hern in Las Vegas

Want to advertise here? Email to rent this space!

‘Bug bounty’: Apple to pay hackers more than $1m to find security flaws

Expanded program, announced at Black Hat conference, comes as governments and tech firms compete for informationApple will pay ethical hackers more than $1m if they responsibly disclose dangerous security vulnerabilities to the firm, the company announ…

Kids at hacking conference show how easily US elections could be sabotaged

Changing recorded votes would be difficult for bad actors. But at Def Con in Las Vegas, children had no trouble finding another point of entry

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections.

The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far.

Continue reading…

Hackers accessing PayPal via voicemail? Security expert says it’s possible

Voicemail systems have had some of the same weaknesses for decades, and hackers could use those to break into PayPal and WhatsApp accounts

With just a simple script and a $40 virtual phone number, a hacker could automatically break into voicemail accounts at scale, and parlay that access into control over online accounts including WhatsApp or PayPal, or even track someone’s every move.

Martin Vigo, a Spanish hacker who works in mobile security, presented new research at the Def Con hacking conference in Las Vegas, demonstrating how easy it could be for a motivated attacker to break into phone voicemails, and how much more damaging that security breach could be than simply letting an attacker listen to messages.

Continue reading…

Hackable implanted medical devices could cause deaths, researchers say

Medtronic, a manufacturer of pacemakers and implantable insulin pumps, won’t fix security vulnerabilities in its products

A range of implanted medical devices with nine newly discovered security vulnerabilities won’t be fixed by the manufacturer, despite the possibility that, if abused, the weaknesses could lead to injury or death.

In new research presented at the Black Hat information security conference, a pair of security researchers remotely disabled an implantable insulin pump, preventing it from delivering the lifesaving medication, and then took total control of a pacemaker system, allowing them to deliver malware directly to the computers implanted in a patient’s body.

Continue reading…

Hacked satellite systems could launch microwave-like attacks, expert warns

At Black Hat conference in Las Vegas, researcher says theoretical threat to ships, planes and military is ‘no longer theoretical’

The satellite communications that ships, planes and the military use to connect to the internet are vulnerable to hackers that, in the worst-case scenario, could carry out “cyber-physical attacks”, turning satellite antennas into weapons that operate, essentially, like microwave ovens.

According to research presented at the Black Hat information security conference in Las Vegas, a number of popular satellite communication systems are vulnerable to the attacks, which could also leak information and hack connected devices. The attacks, which are merely a nuisance for the aviation sector, could pose a safety risk for military and maritime users, the research claims.

Ruben Santamarta, a researcher for the information security firm IOActive, carried out the study, building on research he presented in 2014. “The consequences of these vulnerabilities are shocking,” Santamarta said. “Essentially, the theoretical cases I developed four years ago are no longer theoretical.”

Continue reading…

Stolen nude photos and hacked defibrillators: is this the future of ransomware?

Hackers behind attacks such as WannaCry might not have become hugely rich, but that doesn’t mean they are going to give up any time soon

The destructive potential of ransomware, the malicious software that is used to extort money from victims, is huge: in the first half of 2017, two major outbreaks, WannaCry and NotPetya, led to service outages from organisations around the world.

A third of the UK’s National Health Service was hit by WannaCry, and the outbreak was estimated by risk modelling firm Cyence to have cost up to $4bn in lost revenues and mitigation expenses. Then, a month later, NotPetya (so-called because it is not Petya, another type of ransomware with which it was initially mistaken), brought down a significant chunk of the Ukrainian government, pharmaceutical company Merck, shipping firm Maersk, and the advertising agency WPP, as well as the radiation monitoring system at Chernobyl.

Continue reading…

‘Anonymous’ browsing data can be easily exposed, German researchers reveal

  • Pair secured database containing 3bn URLs from 3m German users
  • Journalist and data scientists presented findings at hacking summit in Vegas

A judge’s porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the “anonymous” browsing habits of more than three million German citizens.

“What would you think,” asked Svea Eckert, “if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.”

Continue reading…

Facebook ‘dark ads’ can swing opinions, research shows

Ads targeted using profiles generated from individual voters’ stated interests are more successful in shifting attitudes, according to Online Privacy Foundation research

Using “psychographic” profiles of individual voters generated from publicly stated interests to target political campaigning really does work, according to new research presented at the Def Con hacking conference in Las Vegas, Nevada.

The controversial practice allows groups to hone their messages to match the personality types of their targets, and is being used by firms including Cambridge Analytica and AggregateIQ to better target voters with political advertising with so-called “dark ads”.

Continue reading…

Bug in top smartphones could lead to unstoppable malware, researcher says

Recent updates to iOS and Android contain fixes for Broadpwn, found in chips used in iPhones, Samsung Galaxies and Google Nexus devices

A recently patched bug found in the chips used to provide wifi in iPhones, Samsung Galaxies and Google Nexus devices could be used to build malware which jumps unstoppably from device to device, according to Nitay Artenstein, the researcher who discovered the flaw.

Affected users should update their phones’ operating systems immediately, to iOS 10.3.3 (released 20 July) or the July security update for Android, which contain fixes for the flaw.

Continue reading…

NSA denies ‘Raiders of the Lost Ark’ stockpile of security vulnerabilities

The agency’s stockpile of unpatched, undisclosed vulnerabilities is a big concern to the security community, but research suggests it discloses more than it keeps

America’s National Security Agency (NSA) spends upwards of $25m in a year buying previously undisclosed security vulnerabilities – known as zero days, because that’s the length of time the target has had to fix them – but the large investment may not result in as much of a collection of hacking capabilities as is widely assumed.

Jason Healey, a senior research scholar at Columbia University and director at the Atlantic Council policy thinktank, argues that the true number of zero days stockpiled by the NSA is likely in the “dozens”, and that the agency only adds to that amount by a very small amount each year. “Right now it looks like single digits,” he says, adding that he has “high confidence in this assessment.”

Continue reading…