Richard Chirgwin

Contact Mail Follow Twitter RSS feed
Shutterstock - Giant bug destroys ciy

Code-sharing leads to widespread bug sharing that black-hats can track

Developers' enthusiasm for sharing code saves their colleagues' time, but also means they share security bugs they haven't noticed. And that means a smart attacker could follow who's shared what with whom to trawl the Web for vulnerabilities. That sobering idea comes from a group of German researchers with help from Trend …

Tor loses a node in Russia after activist's arrest in Moscow

Russia is shy a Tor exit node, after a university maths teacher was arrested for his involvement in protests in that country. Authorities have reportedly thrown the book at Dmitry Bogatov, accusing him of posting messages calling for mayhem. According to TASS, he’ll be held for two months pending investigation. This report at …
sirens

DTMF replay phreaked out the Dallas tornado alarm, say researchers

Strap yourself into the DeLorean: researchers from Duo reckon the Dallas tornado alarm incident was a case of old-style DTMF phreaking. On Friday night, someone figured out how to activate all 156 of the city's sirens in a stunt hack. It turns out the sirens, from Federal Signal, use one of the oldest signalling techniques …

SAP's TREX exposed HANA, NetWeaver

SAP has rushed out a patch for its TREX search engine, after security researchers found bugs in a 2015 patch. TREX is a search engine used in several SAP products, including its HANA database and its venerable NetWeaver application and integration platform. According to ERPScan, SAP thought it had patched the code injection …

Monster patch day for Juniper customers

Clear the diaries, Juniper sysadmins, a van-load of patches landed today. I suggest you join me in getting a coffee and settling in while we go through the list. The security fixes cover six fixes to Junos, one for the company’s EX Series switches, BIND fixes for SRX, vSRX and J-Series units, and multiple fixes for the …
Cartoon - Private SNAFU

Netregistry, TPP Wholesale on the rack over DNS TITSUP

Updated: Back online Netregistry and TPP Wholesale have lost six DNS servers between them, causing plenty of angst and anger on Australia's corner of the Internet. The TITSUP (Total Inability to Support Usual Performance) arose around 10:30am Eastern Standard Time. Netregistry posted a status update saying the DNS outage also took down its console …

UK boffins steal smartmobe PINs with motion sensors

Updated with Apple fix The World Wide Web Consortium might want to take another look at its habit of exposing too much stuff to application interfaces: a UK researcher has demonstrated a JavaScript app can spy on smartphone sensors to guess the codes users employ to unlock the devices. The attack, published in the International Journal of …

TCP/IP headers leak info about what you're watching on Netflix

An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are …
DOor to a bank vault. Photo by Shutterstock

DARPA seeks SSITH lords to keep hardware from the Dark Side

America's Defense Advanced Research Project Agency reckons too many vulnerabilities arise from hardware design errors, so it wants experts and boffins to propose better hardware-level security mechanisms. Baked-in security is a vexed question, for good reason: recipe slips can also hard-wire vulnerabilities into a chip. For …
Woman serves at beginning of tennis game. Photo by Shutterstock

Nvidia says Google's TPU benchmark compared wrong kit

It's not easy being Nvidia: the rise of AI has put a rocket under demand for GPUs, but the corollary to that is World+Dog publishing benchmarks to try and knock Nvidia off its perch. The company is famously touchy about such things – witness last year's spat with Intel over benchmarks it didn't regard as fair. Well, it's …
danger

Systems-on-a-chip are a huge, unaudited attack surface, says Project Zero's Wi‑Fi attack man

The internal inter-chip communications of devices like smartphones are a “huge, mostly unaudited attack surface,” according to Gal Beniamini of Google’s Project Zero, in his promised follow-up to last week’s demonstration of how to attack Wi‑Fi chips over the air. His April 4 “part one” prompted emergency patches from Apple …
Photo by JStone / Shutterstock

LiveJournal trial a storm in a safe harbour

US forum admins will be watching a Californian court with nervous interest, as social forum LiveJournal goes to trial for copyright infringement. The trial is being seen as a test of the Digital Millennium Copyright Act (DMCA), since LiveJournal had previously argued it was protected by that law's safe harbour provisions. …
Shutterstock - Giant bug destroys ciy

Buggy Riverbed portal needs patching – now

Riverbed admins: get busy patching the SteelCentral Portal application. Digital Defense discovered the bugs, which include two authentication flaws and two information disclosure vulnerabilities. First, there’s an unauthenticated file upload bug in the portal’s UploadImageServlet, which delivers remote code execution at the …
Woman says oops after data breach... or spome other mistake, possibly. Illustration by Shutterstock/sergey sobin

Database deletion downed Digital Ocean last week

Ouch: last week, Digital Ocean took the GitLab fat-finger pill, deleting a production database and triggering a five-hour outage. Unlike GitLab's disaster, the Digital Ocean “engineer-driven configuration error” didn't include a backup failure. In its apology for the “unacceptable” turn of events, Digital Ocean explains that …
Bitcoin punch cards

Evil ISPs could disrupt Bitcoin's blockchain

Attacks on Bitcoin just keep coming: ETH Zurich boffins have worked with Aviv Zohar of The Hebrew University in Israel to show off how to attack the crypto-currency via the Internet's routing infrastructure. That's problematic for Bitcoin's developers, because they don't control the attack vector, the venerable Border Gateway …
Eye

MyHealthRecord slammed in privacy uproar

The Australian government has found itself embroiled in a privacy furore, this time for the privacy settings on its MyHealthRecord e-health system. At issue is the system's default privacy setting, which is that any health professional treating an individual can access their whole health history. On the upside, that means if …
A tortoise catches an orange frisbee. Photo by Shutterstock

nbn™ trials 10 Gbps fibre tech most of you will never see

Nokia seems to believe in the future of fibre: it's run a test with nbn™ demonstrating next-generation passive optical networking (NG-PON) running at 10 Gbps. If it looks like mixed messaging to you, you're probably not alone, since under current plans, the only households able to run any kind of PON are the those who already …
Facepalm

TP-Link 3G/Wi-Fi modem spills credentials to an evil text message

TP-Link's M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares. In what looks like a feature created for developers' convenience, but left behind when it should have been deleted, the device's admin credentials can be retrieved by text message. The discoverer of the bug, a German company …
Apple

Apple finally teaches Android music app to validate certificates

If you're so much an Apple fan that you run Apple Music on Android devices, there's an upgrade to patch against a man-in-the-middle vulnerability. Eight months ago, Canadian security researcher David Coomber discovered that Apple Music for Android 1.2.1 and older doesn't validate the SSL certificates presented when logging …
Thumbs down frownining emoticon

OLE-y hell. Bug in MSFT Word allows total PC p0wnage

All eyes will be on Microsoft's April patch run - due tomorrow - to see whether Redmond gets ahead of a nasty Word zero-day that popped up last week. The hack exploits Object Linking and Embedding and the FireEye researchers who discovered the bug were working with Microsoft, but were pre-empted by a disclosure from McAfee. …
Gavel

Reworked Arista kit going back on sale in America

Arista has been cleared by US Customs and Border Protection (CBP) to start shipping modified products to the United States again. Arista sought the right to do so because of its long-running litigation with Cisco, which believes Arista has pinched its intellectual property. The fight's been running since 2014 and some of …
Geoscape layers

Wisdom of crowds plus a splash of AI give Australia new national analytical map data

Australia's Public Sector Mapping Agency (PSMA) and US satellite constellation operator DigitalGlobe have joined together to come up with a whole-of-continent, high-resolution analytical data set. Perhaps in need of a high-value product after its G-NAF (Geococded National Address File) was published for free a Data.gov.au, the …
Quick fix - worker running while carrying a wrench

Stop us if you've heard this: Cisco Aironet has hard-coded passwords

Cisco's discovered that its Mobility Express Software, shipped with Aironet 1830 Series and 1850 Series access points, has a hard-coded admin-level SSH password. The default credentials open affected devices to remote exploitation if an attacker has “layer 3 connectivity to an affected device”. The bug is in access points …

Oz regulator hauls Apple to court over iBricks

Apple's “error 53” i-Thing bricking bug has landed it in court again, this time in Australia. “Error 53” has been a source of irritation for iPhone customers for years: if iOS detects an unauthorised Touch ID module, iOS locks itself down, effectively bricking the phone – and only someone with Apple's blessing can fix it. The …

Facebook's going to block revenge smut with AI. Or humans. Or both

+Comment Well, that's awkward. Facebook's head of global safety and CEO Mark Zuckerberg on Wednesday gave differing descriptions of the advertising network's just-launched "AI" powered “online safety” initiative. The idea is that if someone's intimate images are shared without permission as “revenge porn," the site's systems will be …

Biting the hand that feeds IT © 1998–2017