Richard Chirgwin

Contact Mail Follow Twitter RSS feed
Toolkit from Shutterstock

FreeRADIUS fragged by fuzzer – by invitation – and fifteen fails found

The folks over at FreeRADIUS took a look at Guido Vranken's work with OpenSSL, liked what they saw, asked him to fuzz the famous login/security server ... and then didn't like what they saw. Pretty much anybody who's logged into an ISP account has touched FreeRADIUS, since it's the most popular implementation of the venerable …

Dev to El Reg: Making web pages pretty is harder than building crypto

+Comment An Australian computer scientist working in Thailand has offered his contribution to Australia's cryptography debate by creating a public-key crypto demonstrator in less than a day, using public APIs and JavaScript. Brandis.io not a useful encryption implementation (the site itself says as much), but is a useful public …
LOL

Three Microsoft Outlook patches unpatched, users left to DIY

Microsoft has withdrawn at least three of the patches released at the end of June and early July, but left it to users to find out for themselves. The three patches – KB 4011042, KB 3191849 and KB 3213654 – fixed the same file-handling bugs in Outlook's 2010, 2013 and 2016 editions. Attachments containing “...” (ellipsis) or …

Burglary in mind? Easy, just pwn the home alarm

It's Monday, and infosec-watchers are showing their age by calling internet of things security disclosures “a broken record”. This time, it's a home security system that's remotely p0wnable. iSmartAlarm ships a variety of app-linked security products, including door sensors, motion sensors, cameras, locks, and a controller …
DARPA robosat concept image

DARPA's robot sat-fixing program survives sueball strike

Aerospace company Orbital ATK has failed in a legal bid to halt a DARPA contract for robotic satellite maintenance devices and will instead see if the White House can help it to bring the work to the private sector. The lawsuit centres around contracts awarded last year, after years of investigations, that would launch a test …

Multi-gig broadband spec passes interop test at Verizon

Verizon is ramping up its multi-gigabit optical broadband work with interop tests for its implementation of the OpenOMCI specification. OpenOMCI is a management specification covering the interaction between optical modems (the Optical Network Terminal, ONT) in the home and the upstream Optical Line Terminal (OLT), and is part …
Donald trump tweeting

IETF moves meeting from USA to Canada to dodge Trump travel ban

The Internet Engineering Task Force has taken the rare (and possibly costly) decision to relocate an upcoming meeting out of America. IETF 102, scheduled for mid-2018, was booked for the San Francisco Hilton, but instead will be held in the Fairmont Hotel in Montreal. The reason, as announced by IETF Administrative Oversight …
Enigma machine from Bucharest (Artmark)

€100 'typewriter' turns out to be €45,000 Enigma machine

A cryptography professor wandering through a Romanian flea market has turned a nice ROI on his €100 investment: €45,000. That's because what was on offer was a 1941-manufacture German Army three-rotor Enigma I. The unnamed collector who picked it up sold it through Bucharest auction house Artmark, and the unit beat its €9,000 …

YASA* looks at turning commercial buildings into Internet things

A vendor collective pushing Internet of Things standardisation for commercial buildings has published its first set of specifications, and wonder-of-wonders the specs include security. In evidence that the world's fast running out of tortured names that don't sound stupid in English or funny/obscene in other languages, the …
Image by Danomyte http://www.shutterstock.com/gallery-256714p1.html

AGFEO smart home controllers need patching

Smart-home controllers from German company AGFEO have adopted best practice internet things security by offering an unsecured Web admin interface. The now-patched attack vectors included unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) vulns, and hard-coded cryptographic keys. The …
Spraying bugs with insecticide

Juniper admins: Grab your bug-zappers and load 22 rounds

Juniper Networks has released 22 patches and security notices. To be fair on the Gin Palace, not all of them are self-inflicted: some are catch-ups on patches from open source libraries. These include patches for ISC BIND, the GD graphics library libgd, the NTP (network time protocol) daemon, RPD (the routing protocol daemon …

ATO phone hacking 'tutorial' is tame unless you use a Nokia 1100

The “how to crack mobile phones” tutorial posted by an Australian Taxation Office employee appears not, as widely reported, to be evidence that the agency has the ability to penetrate a wide range of devices. The Australian Broadcasting Corporation reported that the ATO had “disciplined” a staffer who posted a presentation to …
Padlock

Indian telco Reliance Jio denies claims of 100m record data breach

A row over data security is gripping India, with Reliance telco brand Jio denying claims it has leaked the details of 120 million customers. The FoneArena blog was first to spot data purporting to be LTE-only network Jio customer information on the now-suspended magicapk.com. While FoneArena asserts the information was …
Charlie Chaplin Modern Times

Cloud Foundry had a privilege escalation bug

Open source devops platform Cloud Foundry has disclosed a potentially nasty bug in its User Account and Authentication server software. UUA is the Cloud Foundry ID management service, using OAuth2 to issue tokens for client applications that act on behalf of users. CVE-2017-8032 was patched in an update last week, and the …
The GitHub mascot at GitHub Universe

GitHub acknowledges autocrats with 'code owner' feature

GitHub's taken a leaf out of Google's Chromium book, introducing a feature that puts review requirements under the control of someone designated as a code owner. Either individuals or teams can be code owners, responsible for a given slab of software and notified whenever someone makes a pull request. Those who hold the …
Photon, image via Shutterstock

Japan joins quantum space race with microsatellite demo

Japan has become the latest country to demonstrate quantum communication with a satellite, in this case a micro-satellite named SOCRATES. The National Institute of Information and Communication Technology (NICT) announced the quantum key distribution (QKD) test, which showed off the capabilities of its SOTA quantum …
Scary Skeleton Samba

Samba slip-up smackdown: HPE stops NonStop Server bugs

HPE NonStop users running Samba need to get busy applying workarounds to a pair of remotely exploitable vulnerabilities. The first, SambaCry, has been present in Samba since 2010 but was named and outed in late May 2017. Assigned CVE-2017-7494, it allowed a malicious Samba client with write access could execute code as root. …
Businessman with unlocked padlock - shutterstck

G20 calls for 'lawful and non-arbitrary access to available information' to fight terror

Comment The meeting of G20 leaders decided to do something about the internet. The final G20 Leaders' Statement on Countering Terrorism included the following plan: We will work with the private sector, in particular communication service providers and administrators of relevant applications, to fight exploitation of the internet …
Cell tower, view from below. Image by Shutterstock.com

European Telecoms Standards Institute emits mobile edge APIs

The European Telecommunications Standards Institute has unveiled the first APIs created under its Multi-Access Edge Computing project. The name of the multi-access edge (MEC) game is to open up computing in mobile base stations to third-party developers. The API releases cover mobile edge services, application lifecycle …
atlas_lhc_cern_648

LHC finds a new and very charming particle: the Xicc++ baryon

What happens if you get two charm quarks together in one baryon? Something four times as heavy as a proton that can help the world understand the strong nuclear force, according to boffins at the Large Hadron Collider. Last week, CERN announced the first “unambiguous” observation of a particle comprising the two charm quarks …
GNU logo

Roland McGrath steps down as glibc maintainer after 30 years

Open source luminary Roland McGrath has decided “enough is enough” – after 30 years on the GNU compiler library project. As a teenager in 1987 – working back from the age he gives in his mailing list post, as a 15-year-old, in fact – McGrath began writing glibc, and he reckons that devoting “two thirds of my lifespan so far” …
A hose leaking water

Canberra reviewing online Medicare lookup after data breach

It looks like the government's figured out how Australians' Medicare numbers were leaking and ending up on a Tor trading site: an insider abusing a login. Lsat week, the existence of “The Medicare Machine” became public after a journalist for The Guardian purchased his own Medicare information from the site for $30 worth of …
Picture of multi-layered sandwich. Photo by Shutterstock

Biometric data stolen from corporate lunch rooms system

A US payment kiosk vendor has been stung by malware scum. Avanti Markets helps employers monetise the lunch-room and get rid of counter-service, going beyond a simple vending machine to cover the whole sandwiches-fruit-drinks-junk-food with one payment system. Last week, as first spotted by Brian Krebs, the company posted …

Hard Rock hotels burgered up by Sabre breach

Two more hotel chains are warning customers they were caught by the breach of Sabre's "SynXis" hotel booking service that emerged earlier this year. Last Thursday, the Hard Rock chain warned that customers of 11 of its properties may have been caught up in the breach. According to Hard Rock's confession, Sabre advised it the …
phishing

Someone's phishing US nuke power stations. So far, no kaboom

Don't panic, but attackers are trying to phish their way into machines in various US power facilities, including nuclear power station operators. It seems so far that whoever is behind the campaign has tried phishing and watering-hole attacks, but haven't got beyond corporate networks (which in critical infrastructure should …

Biting the hand that feeds IT © 1998–2017