Opera announces data breach: stored passwords stolen for 1.7M users. From Naked Security. Opera was once a proudly Norwegian browser that was different from the rest in more than just look and feel. Most other browsers used one of three main core components: Microsoft’s, Mozilla’s or WebKit’s. (WebKit originated from Apple but has now diverged into separate development streams used in browsers like Apple’s Safari, and browsers like Google’s Chrome.) But Opera had its own rendering engine, the complex heart of any browser that’s responsible for converting HTML source into a visible, clickable, usable web page. Opera’s independence made it what you might slightly unkindly think of as the Fifth of the Big Four browser families after Microsoft Internet Explorer (and now Edge), Mozilla Firefox, Google Chrome (and its free cousin Chromium) and Apple Safari.
Beware of keystroke loggers disguised as USB phone chargers, FBI warns. From ArsTechnica. FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. Always-on sniffer remotely uploads all input typed into Microsoft Wireless keyboards. The FBI’s Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.
- Microsoft Bans Simple Passwords That Appear in Breach Lists. From Softpedia.
Following the huge debacle related to the LinkedIn data breach that came to light last week, Microsoft’s Identity Protection team has decided to ban the usage of common or simple passwords that may be easy to guess or have already appeared in breach lists. Microsoft says it has already activated this feature for regular Microsoft Account users and is holding a limited private preview for Microsoft Azure Active Directory services.
Here’s how the US military is beating hackers at their own game. From Tech Insider. There’s an unseen world war that has been fought for years with no clear battle lines, few rules of engagement, and no end in sight. But it’s not a shooting war; not a war where combatants have been killed or wounded — at least not yet. It’s a war that pits nations against each other for dominance in cyberspace, and the United States, like other nations employing professional hackers as “cyber soldiers,” sees it as a battlefield just like any other.
If you use Waze, hackers can stalk you. From Fusion.net. Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time. They proved it to me by tracking my own movements around San Francisco and Las Vegas over a three-day period.
- Meet the malware that screwed a Bangladeshi bank out of $81m. From The Register. February’s hack against Bangladesh’s central bank that netted $81m in diverted funds is one of the biggest cyber heists of all time. Now researchers think they’ve found the malware that did it. A sample of the software nasty was obtained by researchers at defense contractors BAE Systems. The malware appears to have been custom built to use the global SWIFT (Society for Worldwide Interbank Financial Telecommunication) system and its Alliance Access backend.
- RuMMS Android Malware Attacks via SMS Spam, Steals Money from Bank Accounts. From Softpedia. Security researchers have discovered a new Android malware family that’s being spread using SMS spam messages and has been secretly stealing money from victims’ bank accounts after infecting their devices. At the time of writing, this malware family which FireEye researchers have named RuMMS has targeted only users living in Russia. The first infections hit users on January 18 and have continued until late April.
- National Infrastructure Attacks Mark Ominous Milestone for Cyber Security From InfoSecurity Magazine. Hundreds of thousands of homes across western Ukraine were suddenly left without power last December after a massive blackout. Though power was eventually restored, this event should serve as a wake up call for governments around the world, not just because of the severity, but due to the cause .
- Amazon force-resets some account passwords, citing password leak. From ZDNet. Amazon has force-reset an unknown number of accounts, after passwords may have been compromised. A number of readers told ZDNet they received an email from Amazon saying the company has reset their account password. The message was also sent to their account message center on Amazon.com, and Amazon.co.uk, confirming the message is genuine.