Security

Five major Russian banks were targeted late last week by a botnet comprised of 24,000 computer and IoT devices. The attacks came from devices in 30 countries, including the United States, India, and Taiwan.

The attacks came in the form of distributed-denial-of-service (DDoS), which sends millions of requests to servers, taking them offline. From there, hackers may be able to compromise systems and steal information, but the five banks have denied any customer information has been stolen.

SSL Labs, a security grading website that’s well known among developers and operators of websites that use HTTPS encryption, announced new plans to tighten up its grading rules for 2017. The group behind it hopes this will encourage more websites to adopt more modern encryption.

Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security.

At a session of the House's Energy and Commerce Committee into last month's attack on DNS provider Dyn that caused widespread disruption to online services, several security experts highlighted the main problem as a lack of security standards and urged Congress to act. Their pleas were repeatedly rebuffed.

You probably know by now that plugging a random USB into your PC is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But serial hacker Samy Kamkar‘s latest invention may make you think of your computer’s USB ports themselves as unpatchable vulnerabilities—ones that open your network to any hacker who can get momentary access to them, even when your computer is locked.

DDoS attacks generally rely on big numbers to get results. Hundreds of thousands of devices, millions of IP addresses all unleashing coordinated blasts of data at another device to bring it to its knees. A BlackNurse denial-of-service attack doesn’t need a massive army of zombies to be effective.

Researchers in a team from Shanghai, Boston and Tampa recently published an temptingly titled paper about password stealing.

Dubbed When CSI Meets Public Wi-Fi: Inferring Your Mobile Phone Password via Wi-Fi Signals, the paper makes you think of Crime Scene Investigation, but that’s just a handy collision of acronyms.

Cybersecurity expert Eugene Kaspersky, founder of the antivirus company that bears his name, called out Microsoft for disabling third-party antivirus programs during the Windows 10 upgrade process.

In a long-winded blog post that rambles and takes 300 words to get to the point, he criticizes Microsoft's walled garden approach to Windows 10, something MacOS has done forever, but then he gets to the main point: Windows 10 does everything it can to disable third-party AV programs and use only Microsoft's products.

Targeted password guessing turns out to be significantly easier than it should be, thanks to the online availability of personal information, leaked passwords associated with other accounts, and our tendency to incorporate personal data into our security codes.

In a paper [PDF] presented at the ACM Conference of Communication and Systems Security (CCS) in late October, security researchers from China and the UK describe a system for targeted password guessing that finds that a sizable fraction of people's online passwords are vulnerable to attack.

Personal details of more than 412 million subscribers to Adult Friend Finder and other hookup sites was breached.

In what could rival the size and impact of an earlier hack of MySpace, usernames, purchasing patterns, internet addresses and passwords of more than 412 million subscribers were exposed after Adult Friend Finder was breached last month.

Hotel and restaurant chains, beware. A notorious cybercriminal gang is tricking businesses into installing malware by calling their customer services representatives and convincing them to open malicious email attachments.

The culprits in these hacks, which are designed to steal customers’ credit card numbers, appear to be the Carbanak gang, a group that was blamed last year for stealing as much as $1 billion from various banks.