Editor's News

Retailer Office either stored passwords in clear plain text, or were easily decryptable.   According to developer Sherwin Rice, who revealed on Twitter that a password reset showed him a one-time password in clear text. In conversation with IT Security Guru, Rice said that he had only received the help page from Office, which states that passwords were reset and when a user next visits the website, “they will need to create a new password”....

eBay could face a raft of class action lawsuits, with the cost of the breach to probably running into billions of dollars.   Speaking to IT Security Guru, Dr Guy Bunker, cyber security analyst at Clearswift, said that as the information taken is “fantastic” for resetting passwords for accounts, this could cause problems for the auction website.   However he said that this would not spell the end of the company, pointing at the 2007 TK...

Encryption software TrueCrypt may be restored and improved by a group of developers, led by the team who crowd-sourced its funding.   According to Reuters, the audit team who crowd-funded $70,000 is planning to continue its quest to determine the security of TrueCrypt, and Matthew Green, a Johns Hopkins University cryptography professor helping lead the effort, said that the effort would seek to fix legal issues with the code.   Speaking to Brian Krebs, Green...

High street shoe retailer Office has confirmed that it suffered an attack last week, with an attacker gaining unauthorised access to some of its online accounts.   It confirmed that the incident occurred on 22nd May and it detected this four days later. No credit card, debit card, Paypal or bank details were compromised in any way, but the affected information does include names, addresses, phone numbers, email addresses and passwords. All affected customers have...

The end of support by Microsoft for XP has apparently spelled the end for TrueCrypt, as users have been delivered messages warning that it is “not secure as it may contain unfixed security issues”. The homepage for the encryption programme is now redirecting to a web-based source code repository with the warning in red text, and stating that “this page exists only to help migrate existing data encrypted by TrueCrypt”. It also states: “The development...

Fresh ransomware that is distributed via Java drive-by-downloads and requires a private key has been detected.   The CryptoDefense ransomware locks all files including videos, photos and documents and uses a unique public key RSA-2048 which is located “on a secret server on the internet”, according to research by Bromium.  However, a flaw, which Bromium suspected will be fixed in an update, found that due to an implementation flaw, the decryption key can also be...

Spammers are beginning to use last week’s eBay breach to send spam to users to say how their falsely arrested; and advising people to check public records to see if their names have been falsely used too.   According to a blog by Cloudmark, the message says that a person’s name was “used falsely in an arrest, and I didn’t even know it until I checked my public record” and encourages the recipient to check...

Ten per cent of professionals are still able to access networks after leaving their jobs.   According to research by Lieberman Software, 13 per cent of IT security professionals admit to being able to access previous employers’ systems using their old credentials. The survey of  270 IT professionals found that  23 per cent can get into their previous two employers’ systems using old credentials, and more than 16 per cent admit to still having access...

Former LulzSec member Hector Xavier Monsegur, aka “Sabu”, has been released from custody with a one year probation to serve.   Named in court papers as “an extremely valuable and productive cooperator”, Monsegur was given the release after aiding the FBI in intelligence on hacking and in identifying his fellow LulzSec members.   In the group, “Sabu” served primarily as a “rooter,” analysing code for vulnerabilities which could then be exploited. Those hit included Sony Pictures, Fine...

Czech anti-virus vendor Avast has taken its forum offline after it was hacked this weekend, and saw user names and hashed passwords compromised.   According to a post by CEO Vince Steckler, user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. He said that once the forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.   He said: “This...