Richard Chirgwin

Contact Mail Follow Twitter RSS feed
Shutterstock - Giant bug destroys ciy

Buggy Riverbed portal needs patching – now

Riverbed admins: get busy patching the SteelCentral Portal application. Digital Defense discovered the bugs, which include two authentication flaws and two information disclosure vulnerabilities. First, there’s an unauthenticated file upload bug in the portal’s UploadImageServlet, which delivers remote code execution at the …
Woman says oops after data breach... or spome other mistake, possibly. Illustration by Shutterstock/sergey sobin

Database deletion downed Digital Ocean last week

Ouch: last week, Digital Ocean took the GitLab fat-finger pill, deleting a production database and triggering a five-hour outage. Unlike GitLab's disaster, the Digital Ocean “engineer-driven configuration error” didn't include a backup failure. In its apology for the “unacceptable” turn of events, Digital Ocean explains that …
Bitcoin punch cards

Evil ISPs could disrupt Bitcoin's blockchain

Attacks on Bitcoin just keep coming: ETH Zurich boffins have worked with Aviv Zohar of The Hebrew University in Israel to show off how to attack the crypto-currency via the Internet's routing infrastructure. That's problematic for Bitcoin's developers, because they don't control the attack vector, the venerable Border Gateway …
Eye

MyHealthRecord slammed in privacy uproar

The Australian government has found itself embroiled in a privacy furore, this time for the privacy settings on its MyHealthRecord e-health system. At issue is the system's default privacy setting, which is that any health professional treating an individual can access their whole health history. On the upside, that means if …
A tortoise catches an orange frisbee. Photo by Shutterstock

nbn™ trials 10 Gbps fibre tech most of you will never see

Nokia seems to believe in the future of fibre: it's run a test with nbn™ demonstrating next-generation passive optical networking (NG-PON) running at 10 Gbps. If it looks like mixed messaging to you, you're probably not alone, since under current plans, the only households able to run any kind of PON are the those who already …
Facepalm

TP-Link 3G/Wi-Fi modem spills credentials to an evil text message

TP-Link's M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares. In what looks like a feature created for developers' convenience, but left behind when it should have been deleted, the device's admin credentials can be retrieved by text message. The discoverer of the bug, a German company …
Apple

Apple finally teaches Android music app to validate certificates

If you're so much an Apple fan that you run Apple Music on Android devices, there's an upgrade to patch against a man-in-the-middle vulnerability. Eight months ago, Canadian security researcher David Coomber discovered that Apple Music for Android 1.2.1 and older doesn't validate the SSL certificates presented when logging …
Thumbs down frownining emoticon

OLE-y hell. Bug in MSFT Word allows total PC p0wnage

All eyes will be on Microsoft's April patch run - due tomorrow - to see whether Redmond gets ahead of a nasty Word zero-day that popped up last week. The hack exploits Object Linking and Embedding and the FireEye researchers who discovered the bug were working with Microsoft, but were pre-empted by a disclosure from McAfee. …
Gavel

Reworked Arista kit going back on sale in America

Arista has been cleared by US Customs and Border Protection (CBP) to start shipping modified products to the United States again. Arista sought the right to do so because of its long-running litigation with Cisco, which believes Arista has pinched its intellectual property. The fight's been running since 2014 and some of …
Geoscape layers

Wisdom of crowds plus a splash of AI give Australia new national analytical map data

Australia's Public Sector Mapping Agency (PSMA) and US satellite constellation operator DigitalGlobe have joined together to come up with a whole-of-continent, high-resolution analytical data set. Perhaps in need of a high-value product after its G-NAF (Geococded National Address File) was published for free a Data.gov.au, the …
Quick fix - worker running while carrying a wrench

Stop us if you've heard this: Cisco Aironet has hard-coded passwords

Cisco's discovered that its Mobility Express Software, shipped with Aironet 1830 Series and 1850 Series access points, has a hard-coded admin-level SSH password. The default credentials open affected devices to remote exploitation if an attacker has “layer 3 connectivity to an affected device”. The bug is in access points …

Oz regulator hauls Apple to court over iBricks

Apple's “error 53” i-Thing bricking bug has landed it in court again, this time in Australia. “Error 53” has been a source of irritation for iPhone customers for years: if iOS detects an unauthorised Touch ID module, iOS locks itself down, effectively bricking the phone – and only someone with Apple's blessing can fix it. The …

Facebook's going to block revenge smut with AI. Or humans. Or both

+Comment Well, that's awkward. Facebook's head of global safety and CEO Mark Zuckerberg on Wednesday gave differing descriptions of the advertising network's just-launched "AI" powered “online safety” initiative. The idea is that if someone's intimate images are shared without permission as “revenge porn," the site's systems will be …
Australian Parliament House Canberra

DTA gets its new CEO, opposition tells gummint to get some 'nous'

Australia's Digital Transformation Agency has a new project-canceller-in-chief, announcing that ex-banker Gavin Slater will succeed interim CEO Nerida O’Loughlin as of May 1. Slater is credited with driving a “widespread digital transformation” at the National Australia Bank, before joining fellow executive Renee Roberts on …

Sorry eh? Canadian mounties own up: Yes, we own 10 IMSI-catchers

The Royal Canadian Mounted Police has ‘fessed up to a long-held suspicion that it uses Stingray-style equipment to track mobile phones. At the same time, in an interview with public broadcaster CBC, Chief Superintendent Jeff Adam says IMSI (international mobile subscriber identity)-catchers that CBC News believes it spotted in …

Amazon looks between the couch cushions for US$70m for kids' in-app spending spree refunds

Amazon is going to refund as much as US$70m of in-app charges racked up by American children, after reaching agreement with US trade watchdog the FTC. The regulator sued the web souk in 2014. At the time, it cited internal emails discussing the e-tailer’s inability to control in-app purchases as a “near house on fire,” and …
Oscilloscope Pong

Pong, anyone? How about Pong on a vintage oscilloscope?

Warning: there's no real IT angle in a chap hacking a venerable Tektronix Type 422 oscilloscope to play Pong. It's just fun. The Frankensteinian machine is the brainchild of Glen Kleinschmidt over at the electronic hobbyist site EEVBlog. There's no “take the easy way” about Kleinschmidt's work: sure, it might be easy to …
Shutterstock - Giant bug destroys ciy

Patch Qubes to prevent pwnage via Xen bug

Xen has a critical bug that means Qubes 3.1 and 3.2 need an immediate patch, for Xen packages between 4.6.4 and 4.6.26. A recent patch introduced the bug, which according to the advisory is an insufficient check on the XENMEM_exchange input, “allowing the caller to drive hypervisor memory accesses outside of the guest provided …

Schneider Electric still shipping passwords in firmware

That “don't use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric's developers' eyes so they don't forget it. Yes, it's happened again, this time on the SCADA vendor's Schneider Modicon TM221CE16R, Firmware 1.3.3.3 – and without new firmware, users are stuck, …
Rat sillhouettes - Shutterstock

RAT-catchers spot new malware attacking South Korean word processor

Cisco Talos researchers reckon South Korean users are again under attack from a new malicious RAT (remote administration tool) they've dubbed ROKRAT. Back in February, the security researchers reported an attack that used a compromised government Website to distribute malware in macro-laden documents attacking users of the …
Wi-fi symbol as chocolate dusting on cappuccino foam. Photo by Shutterstock

Apple fans, Android world scramble to patch Broadcom's nasty drive-by Wi-Fi security hole

Yesterday, Apple rushed out an emergency patch to plug a severe security hole that can be exploited to wirelessly and silently commandeer iPhones, iPads and iPods. Now we know why: this remote-code execution vulnerability lies in Broadcom's Wi-Fi stack, which Apple uses in its handhelds. Many other handsets and Wi-Fi routers …
dislike_facebook_648

NY court slaps down Facebook's attempt to keep accounts secret from search warrants

Facebook has lost more skin in its battle to avoid handing over user account details to a US court. In a 5‑1 decision documented by Judge Leslie Stein, the New York State Court of Appeals today said it lacks the jurisdiction to overturn the warrants, and that challenging warrants is none of Facebook’s business – that’s up to …

Google's video recognition AI is trivially trollable

Early in March, Google let loose a beta previewing an AI to classify videos – and it only took a month for University of Washington boffins to defeat it. The academics' approach is trivial: all the researchers (led by PhD student Hossein Hosseini) did was inserted a still photo “periodically and at a very low rate into videos …
The CUDOS microwave photonics team

Optical boffins tweak antennae with photons so MIMO can make WiFi serve more masters

Phased-array antennas, a technology crucial to modern Wi-Fi systems that use beam-forming to improve throughput, has a speed limit in how quickly beams can be manipulated. Beams are formed by adjusting a microwave signal's timing at different antennas in a multiple-in, multiple-out (MIMO) system so that they reinforce in some …
cloud

Free Range Routing project takes aim at Cisco with server-as-router project

A group of open networking companies have dispatched a fleet of X-Wing fighters in the direction of the biggest target in networking: Cisco. Under the auspices of the Linux Foundation, Cumulus Networks, Orange, 6WIND, Architecture Technology, LabN Consulting, NetDEF (OpenSourceRouting), and Volta Networks have launched the …

Biting the hand that feeds IT © 1998–2017