The Morning After: Apple’s HomePod gets hacked apart

Morning there! Apple's technically impressive HomePod has literally been hacked into pieces, we get a taste of Qualcomm's potent smartphone chip (coming soon) and strap an editor into an Iron Man toy mask in the interests of Journalism with a capital…
Engadget RSS Feed

WordPress plugin hacked to mine cryptocurrency: government, ICO, NHS sites hit

US think-tank calls for IoT device design to be regulated

US and UK government websites have been hit by malware mining Monero.

Government websites in the US and UK, including that of the UK Information Commissioner’s Office (ICO), have been hit by malware designed to mine cryptocurrency.

According to security researcher Scott Helme, the security breach resulted in over 4,000 sites serving up the malicious code.

Others affected include the UK Student Loans Company (SLC), National Health Service (NHS) Scotland, and the Queensland government portal in Australia.

The compromised plugin is called Browsealoud, which helps visually impaired people to access text on websites. The malware uses a site visitor’s own processor to mine for the Monero cryptocurrency.

Helme was made aware of the hack by fellow security specialist Ian Thornton-Trump, who discovered that the ICO’s website was hosting the malware.

Four-hour window of opportunity

Texthelp, the company that makes the plugin, reported that its product was infected for four hours, according to a blog post by security firm Wordfence. Browsealoud was taken offline as soon as the problem was spotted.

In his own blog post, Helme said that the script for the Browsealoud plugin, ba.js, was altered to include the Coinhive cryptocurrency miner, which targets Monero.

“If you want to load a cryptominer on 1,000+ websites, you don’t attack 1,000+ websites, you attack the one website that they all load content from,” he said.

“In this case, it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”

Security testing

In a statement, Texthelp data security officer Martin McKay said, “Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.

“This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action. Texthelp can report that no customer data has been accessed or lost.”

He added that a security review would be conducted by a specialist independent consultancy. That investigation is still ongoing, and customers will receive an update when it has been completed.

Internet of Business says

As this ‘supply chain hack’ reveals, the downside of an interconnected world is that security problems can spread worldwide in seconds. This will be a major issue in the years ahead for the IoT, unless smart device manufacturers put enterprise-grade security programmes in place to match the reactive security programmes that have been developed over a quarter century of online business.

The post WordPress plugin hacked to mine cryptocurrency: government, ICO, NHS sites hit appeared first on Internet of Business.

Internet of Business

Binance: Calm down, we haven’t been hacked


When money is on the line, going dark without warning is rarely the best idea. Last night, Hong Kong-based cryptocurrency exchange Binance did just that. With little warning beforehand, and a message afterward claiming it needed 12 hours to complete site upgrades, people started to panic. And then 12 hours turned to 24. Binance, though, assured customers again today that everything was fine, claiming the outage was due to a server issue that caused data to fall out of sync. Chief executive Changpeng Zhao announced last night that the development team would need to re-sync from a master database, a…

This story continues at The Next Web
The Next Web

OnePlus Website Gets Hacked, Credit Card Details Of Customers Compromised

OnePlus has mailed customers and released a statement confirming that anyone who has made a purchase via its website since November may be at risk.

[ Continue reading this over at RedmondPie.com ]

Redmond Pie