I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming

I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming

The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. By using a $15 palm-sized device, my team was able to exploit a smart chip card, allowing us to vote multiple times.

How Hackers Pulled Off a $20 Million Mexican Bank Heist

How Hackers Pulled Off a $20 Million Mexican Bank Heist

Loza emphasizes that while the attacks likely required extensive expertise and planning over months, or even years, they were enabled by sloppy and insecure network architecture within the Mexican financial system, and security oversights in SPEI, Mexico's domestic money transfer platform run by central bank Banco de México, also known as Banxico.

When Facebook Goes Down, Don't Blame Hackers

When Facebook Goes Down, Don't Blame Hackers

“If you’re a DDoS attacker and you’re trying for a big target, and you want to have a big impact, you would probably look for an organization or a brand that doesn’t have as much connectivity to begin with,” says Alex Henthorn-Iwane, vice president at network security firm ThousandEyes.

Why It's So Hard to Restart Venezuela's Power Grid

Why It's So Hard to Restart Venezuela's Power Grid

Government statements and reports indicate that the blackout stems from a problem at the enormous Guri dam hydropower plant in eastern Venezuela, which generates 80 percent of the country's electricity.

The Huawei Case Signals the New US–China Cold War Over Tech

The Huawei Case Signals the New US–China Cold War Over Tech

Looked at through that lens, is Huawei’s relationship to the Chinese government fundamentally different than the ties between the Pentagon and contractors such as Lockheed, Boeing, and General Dynamics?

Security News This Week: The US Tracked Journalists Reporting on the Migrant Caravan

Security News This Week: The US Tracked Journalists Reporting on the Migrant Caravan

After the Migrant Caravan, the US Gov Tracked Journalists and Activists According to documents obtained by the local NBC 7 news station in San Diego, the US government has reportedly created a secret database to track journalists, activists, and at least one lawyer.

Turn On Auto-Updates Everywhere You Can

Turn On Auto-Updates Everywhere You Can

Turn On Auto-Updates Everywhere You Can Alyssa Foote This week, Google announced that it had patched a wicked vulnerability in Chrome, by far the most popular browser in the world.

An Email Marketing Company Left 809 Million Records Exposed Online

An Email Marketing Company Left 809 Million Records Exposed Online

"This is just another case where someone has my data, and hundreds of millions of other people’s data, and I’ve absolutely no idea how they got it." Security Researcher Troy Hunt In the exposed database, the researchers also found some of what appear to be Verifications.io’s own internal tools like test email accounts, hundreds of SMTP (email sending) servers, the text of emails, anti-spam evasion infrastructure, keywords to avoid, and IP addresses to blacklist.

An Email Marketing Company Left 809 Million Records Exposed Online

An Email Marketing Company Left 809 Million Records Exposed Online

Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes-worth of detailed, plaintext marketing data—including 763 million unique email addresses. The database, owned by the "email validation" firm Verifications.io, was taken offline the same day Diachenko reported it to the company.

Machine Learning Can Use Tweets To Spot Critical Security Flaws

Machine Learning Can Use Tweets To Spot Critical Security Flaws

Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described.

The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source

The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source

(Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level, or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.

States Need Way More Money to Fix Crumbling Voting Machines

States Need Way More Money to Fix Crumbling Voting Machines

States Need Way More Money to Fix Crumbling Voting Machines “We are driving the same car in 2019 that we were driving in 2004, and the maintenance costs are mounting,” one official told the Brennan Center for Justice in a new survey.

An Alphabet Moonshot Wants to Store the Security Industry's Data

An Alphabet Moonshot Wants to Store the Security Industry's Data

The tool is a cloud platform on which companies can store their network intelligence data indefinitely, allowing them to use Google's search smarts to comb through logs and gain insight into emerging digital security threats.

Hack Brief: Google Reveals 'BuggyCow,' a Rare MacOS Zero-Day Vulnerability

Hack Brief: Google Reveals 'BuggyCow,' a Rare MacOS Zero-Day Vulnerability

So like clockwork, 94 days after Google alerted Apple to a bug in its MacOS operating system that could allow malware to inject data into the most privileged code running on its computers, Mountain View's hackers are revealing that fresh zero-day vulnerability to the world.

Quantum Physics Could Protect the Grid From Hackers—Maybe

Quantum Physics Could Protect the Grid From Hackers—Maybe

“It’s like working on a car with its engine running.” Sungjin Kim/Getty Images Cybersecurity experts have sounded the alarm for years: Hackers are ogling the U.S. power grid. Peters’s group thinks that a utility company could use quantum-encrypted data to communicate with their hardware.

US Lawyers Don’t Buy Huawei’s Argument on Chinese Hacking

US Lawyers Don’t Buy Huawei’s Argument on Chinese Hacking

But the Federal Communications Commission warned last year that use of Huawei’s equipment in US telecom networks might weaken US national security due to the company’s close ties to China’s government, which has been implicated in hacking campaigns against US companies and government agencies.

The Overlooked Security Threat of Sign-In Kiosks

The Overlooked Security Threat of Sign-In Kiosks

But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist.

Trump's North Korea Summit Inspires Spearphishing

Trump's North Korea Summit Inspires Spearphishing

Security News This Week: North Korean Hackers Go Spearfishing This week’s summit between President Donald Trump and North Korea's Kim Jong-Un inspired a flurry of hacking activity. During President Trump’s first meeting with North Korea last year, there was a similar “spike in malware” from presumed North Korean hackers, one expert told CyberScoop.

Holes in 4G and 5G Networks Could Let Hackers Track Your Location

Holes in 4G and 5G Networks Could Let Hackers Track Your Location

"Average consumers are at the risk of exposing their privacy to malicious third parties who sell location data and other private information." With the exception of the Piercer flaws, the vulnerabilities the researchers discovered would need to be fixed above the individual carrier level by the industry group GSMA, which oversees development of mobile data standards including 4G and 5G.

Hackers Can Slip Invisible Malware into 'Bare Metal' Cloud Computers

Hackers Can Slip Invisible Malware into 'Bare Metal' Cloud Computers

"Once the firmware is infected, there’s really no way to know if it is still infected or to recover from it." Karsten Nohl, Security Research Labs In their experiments, Eclypsium's researchers would rent an IBM bare metal cloud server, and then make a harmless alteration to its BMC's firmware, simply changing one bit in its code.

Android Is Helping Kill Passwords on a Billion Devices

Android Is Helping Kill Passwords on a Billion Devices

Google's Brand points out that under FIDO2, developers will even be able to streamline their mobile browser and local app sign-in infrastructure so a user can set up password-less login on the web, and have that same easy authentication step carry over to the service's app or vice versa.

A Hidden Nest Secure Mic, Facebook's Dead VPN, and More Security News This Week

A Hidden Nest Secure Mic, Facebook's Dead VPN, and More Security News This Week

Security News This Week: Google Forgot To Mention the Nest Secure's Hidden Mic Nest The Mueller investigation has lasted so long, it's easy to forget that it'll end at some point.

NATO Group Catfished Soldiers to Prove a Point About Privacy

NATO Group Catfished Soldiers to Prove a Point About Privacy

Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as well as profiles impersonating service members both real and imagined.

Chinese Surveillance, Facebook Tracking, and More Security News This Week

Chinese Surveillance, Facebook Tracking, and More Security News This Week

LEARN MORE The WIRED Guide to Data Breaches This week, a security researcher found that Chinese company SenseNets, which allegedly facilitates that facial recognition tracking, had left a database containing the associated data completely exposed online.

Hacks, Nudes, and Breaches: It's Been a Rough Month for Dating Apps

Hacks, Nudes, and Breaches: It's Been a Rough Month for Dating Apps

"And often times these dating sites provide little to no security, as we have seen with breaches going back several years from these sites." Three's a Crowd OkCupid came under scrutiny this week after TechCrunch reported on Sunday that users have been dealing with a rise in hackers taking over accounts, then changing the account email address and password.

How Do I (Safely) Use Dating Apps?

How Do I (Safely) Use Dating Apps?

On the one hand, this is a good thing: Importing information from the social network can give you an extra layer of security, since it allows you to tell which potential matches have Facebook friends in common with you.

Don’t Get Your Valentine an Internet-Connected Sex Toy

Don’t Get Your Valentine an Internet-Connected Sex Toy

“Even simply opening the Bluetooth explorer on your phone will reveal nearby smart adult devices that are powered on.” When Bluetooth is used to hack into and take over a sex toy, it’s called “screwdriving”—a term coined by Pen Test Partners in 2017, when its researchers discovered that the Lovense Hush butt plug could be found and remotely controlled via Bluetooth.

A New Tool Protects Videos From Deepfakes and Tampering

A New Tool Protects Videos From Deepfakes and Tampering

With this approach it’s binary: Either the hash matches or it doesn’t, and it's all publicly verifiable." "We can show that there are ways to ensure that all parties have faith in the video and how it was captured." Josh Mitchell, Amber Security Consultant A tool like Amber has obvious appeal for human rights activists, free speech advocates, and law enforcement watchdogs wary of potential abuse coverups, but governments also have an interest in video integrity tools.

Why the US Needs a Strategy for AI

Why the US Needs a Strategy for AI

In coordination with the National Council for the American Worker and through the Select Committee on Artificial Intelligence, federal agencies will now work together with industry and educational institutions to develop AI-related education and workforce opportunities.

Cybersecurity Workers Scramble to Fix a Post-Shutdown Mess

Cybersecurity Workers Scramble to Fix a Post-Shutdown Mess

Furloughed cybersecurity employees returned to expired software licenses and web encryption certificates, colleagues burned out from working on skeleton crews, and weeks-worth of unanalyzed network activity logs.

More