Security

New malware roosting place: Inside your SD Card?

Security researchers have found a way to hack SD Cards, the most common form of flash-memory cards used to store data mobile phones and digital cameras, and run software that intercepts data.

Andrew "bunnie" Huang and Sean "xobs" Cross disclosed the approach Sunday in a blog post and talk at the Chaos Computer Congress (30C3). With the attack, a person could run malicious software on the memory card itself. That's because the cards have tiny built-in computers called microcontrollers that are used to oversee the details of data storage.

The result is a "perfect … Read more

Hacker tried to sell access to BBC server -- report

A Russian hacker wasn't exactly in the Christmas spirit when he reportedly tried to sell access to a BBC server on December 25.

Apparently first spotted by cybersecurity firm Hold Security, the recent attack hit a BBC FTP server and was conducted by a "notorious Russian hacker" known as "Hash" and "Rev0lver," Reuters reported on Sunday. No evidence has turned up indicating that the hacker stole any actual information.

But "Hash" attempted to make a Christmas Day profit out of his exploits, according to Hold Security founder Alex Holden. The hacker … Read more

NSA reportedly planted spyware on electronics equipment

A new report from Der Spiegel, based on internal National Security Agency documents, reveals more details about how the spy agency gains access to computers and other electronic devices to plant backdoors and other spyware.

The Office of Tailored Access Operations, or TAO, is described as a "squad of digital plumbers" that deals with hard targets -- systems that are not easy to infiltrate. TAO has reportedly been responsible for accessing the protected networks of heads of state worldwide, works with the CIA and FBI to undertake "sensitive missions," and has penetrated the security of undersea … Read more

Target: Encrypted PINs stolen but not encryption key

Target is again trying to calm customers in the wake of the recent hack that snatched credit card information for as many as 40 million account holders.

A Target spokeswoman revealed on Friday that strongly encrypted credit and debit card PINs were stolen by the hackers. But she said that those personal identification numbers cannot be decrypted without the right key, which could not have been taken during the data breach as the company does not store that information. The PINs are encrypted at the point-of-sale keypad, stay encrypted in the system, and continued to remain encrypted when obtained by … Read more

Snowden's Christmas message: Privacy counts

Edward Snowden, the National Security Agency whistleblower, delivered a video message on Christmas Day via UK's Channel 4 with a simple theme: "privacy matters."

"A child born today will grow up with no conception of privacy at all. They'll never know what it means to have a private moment to themselves -- an unrecorded, unanalyzed thought," Snowden said in the 1-minute, 43-second message. "And that's a problem because privacy matters. Privacy is what allows us to determine who we are and who we want to be."

Snowden referenced George Orwell's &… Read more

Researchers report security flaw in Samsung's Galaxy S4

Here's some Grinchy news for those of you who put Samsung's Galaxy S4 on your holiday wish list: Israeli researchers have identified a vulnerability in the smartphone that allegedly allows a hacker to easily intercept secure data.

Samsung told CNET and other news outlets that it's looking into the issues and thus far doesn't believe the problem is as serious as the researchers present in their findings.

"Based on the information we currently have, the threat appears to be equivalent to some well-known attacks," Samsung said. "KNOX already includes mechanisms, such as per-app … Read more

Security firm RSA took millions from NSA: report

What's an encryption backdoor cost? When you're the NSA, apparently the fee is $10 million.

Intentional flaws created by the National Security Agency in RSA's encryption tokens were discovered in September, thanks to documents released by whistleblower Edward Snowden. It has now been revealed that RSA was paid $10 million by the NSA to implement those backdoors, according to a new report in Reuters.

Two people familiar with RSA's BSafe software told Reuters that the company had received the money in exchange for making the NSA's cryptographic formula as the default for encrypted key generation … Read more

Target data stolen in hack showing up on black market

As if the Target hack ordeal couldn't get any worse -- data from the retail chain's massive security breach stolen between November 27 and December 15 is popping up in huge quantities on the black market, The New York Times reported Friday.

After Target conceded Thursday that its in-store point-of-sale systems were indeed hacked, compromising as many as 40 million debit and credit card accounts, fraud industry experts are seeing the information flood online card-selling markets to the tune of a "ten- to twentyfold increase" in high-value cards.

The hack, which affected only shoppers who made … Read more

Three privacy-focused browsers compared

Which is the safest browser? In terms of privacy, the answer may be Internet Explorer. According to NSS Labs' 2013 Browser Security Comparative Analysis: Privacy (PDF), Internet Explorer tops Firefox and Chrome by blocking most third-party cookies by default and offering a built-in tracking protection list.

In terms of security, the answer may be Firefox. When Mark Stockley of the Sophos Naked Security blog polled readers last September about which browser they considered the most secure, Firefox was the big winner, gleaning more than 50 percent of the votes, followed by Chrome with just under 27 percent and IE with … Read more

Wickr 2.0 makes self-destructing SMS more fun

When it comes to secure text messaging, you're often entirely dependent on the whims of the message server. Wickr goes to great lengths to flip that paradigm around, handing control back to you, the sender.

Wickr 2.0's debut on Friday makes it much easier to invite friends to use the app, thanks to a new address-book scanning feature that prevents Wickr from learning who you're inviting. That's a big difference from just about every other service out there, which accesses your address book -- usually with your permission -- and then holds on to that … Read more