John Leyden

Contact Mail Follow Twitter RSS feed
Roller shutter

Thousands of UK drivers' details leaked through hole in parking ticket website

Thousands of UK drivers have been caught up in a data breach at a UK parking firm. A database of parking ticket details held by PaymyPCN.net covering almost 10,000 motorists was mistakenly published online. A security flaw on the private parking firm's website allowed public access to names, addresses, photographs and emails. …
John Leyden, 27 Feb 2015

C’mon Lenovo. Superfish hooked, but Pokki Start Menu still roaming free

As Lenovo struggles to extricate itself from the controversy surrounding pre-installed Superfish scumware on its machines, a blast of cruft from the past may give the PC slinger's critics extra ammo this week. A Reg reader, who wishes to remain anonymous, reminds us that Lenovo is still shipping laptops with a potentially …
John Leyden, 25 Feb 2015

Don't be fooled! He's not from the IT crowd... he's a CYBERSPY – FireEye

Impersonating IT departments in spear-phishing attacks is becoming an increasingly popular tactic among hackers, particularly in cyber-espionage attacks. IT staff themed phishing emails comprised 78 per cent of observed phishing schemes picked up by FireEye in 2014, compared to just 44 per cent in 2013. The sixth annual FireEye …
John Leyden, 24 Feb 2015
Houses of Parliament in night-time

MP resigns as security committee chair amid 'cash-for-access' claims

Former foreign secretary Sir Malcolm Rifkind is stepping down as chair of the UK Parliament’s influential security committee in the wake of "cash for access" allegations. In a statement, Rifkind said he intends to remain a member of the Intelligence and Security Committee but will step down as chairman. The ISC, which overseas …
John Leyden, 24 Feb 2015

SSL-busting adware: US cyber-plod open fire on Comodo's PrivDog

Updated The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo. Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog. What is PrivDog? Let's allow the US Computer Emergency …
John Leyden, 24 Feb 2015
Hacker image

Psst, hackers. Just go for the known vulnerabilities

Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old. Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the …
John Leyden, 23 Feb 2015

Calling all cybercrooks: Ready-made phone attack rig for sale

Cybercrooks are marketing a hardware-based tool for running denial of service attacks on telephone systems. The Telephone Denial of Service attacks (TDoS) rig is being sold by a group of cybercriminals called “TNT” from Eastern Europe via underground cybercrime forums. The tool, called “TNT Instant Up”, features a special …
John Leyden, 23 Feb 2015

'NSA, GCHQ-ransacked' SIM maker Gemalto takes a $500m stock hit

The world's biggest SIM card manufacturer, Gemalto, revealed yesterday to have been hacked by the NSA and GCHQ, has taken a $470m hit in its stock price. Gemalto was caught unawares by the revelation that the US and UK intelligence agencies had compromised its systems, and stole potentially millions of SIM card keys used to …
John Leyden, 20 Feb 2015

TrueCrypt + Norton AV = BSOD, wail disgruntled users

Updated Encrypted disk users who upgrade to Norton 2015 have been confronted by the dreaded Blue Screen of Death. Norton 2015 appears to trigger a crash on Windows 8.1 PCs that runs a disk encryption driver, according to user complaints about the problem in a thread on a Symantec support forum. Many of those affected are running …
John Leyden, 20 Feb 2015
The vBulletin attack logs

Evil CSS injection bug warning: Don't let hackers cross paths with your website

Developers should check their websites for path-relative stylesheet import (PRSSI) vulnerabilities, which can allow miscreants to hijack web pages and steal login cookies, security researchers have urged. PRSSI flaws were documented by Gareth Heyes early last year; he calls them relative path overwrites. The trick is to lure …
John Leyden, 20 Feb 2015

Superfish: Lenovo ditches adware, but that doesn't fix SSL megavuln – researcher

Lenovo is attempting to defuse controversy over its pre-installed Superfish crapware – which appears to have run man-in-the-middle attacks against consumers in order to sling ads – by saying it has discontinued use of the visual-recognition technology on new laptops and promising to review outstanding concerns. Superfish …
John Leyden, 19 Feb 2015
Babar the Elephant. Pic: Brendan Adkins

Babar the Elephant: Another malware plague with a cute name

A strain of French-language cyber-espionage malware spotted by infosec researchers shows that the NSA aren't the only spook agency brewing custom nasties to steal sensitive data. Babar was first mentioned in documents from Canadian intel agency CSEC (Communications Security Establishment Canada) leaked by Edward Snowden. They …
John Leyden, 19 Feb 2015
Rows of Gummi Bears in military formation. Author: Institute for Web Science and Technologies, University of Koblenz-Landau. Licensed under CC 3.0

iBank: RBS, NatWest first UK banks to allow Apple Touch ID logins

RBS and NatWest have become the first UK-based banks to offer their customers the option to log in to mobile banking apps using Apple’s Touch ID fingerprint recognition technology. From today (19 February), RBS and NatWest customers who have an iPhone 5S, iPhone 6 or iPhone 6 plus will be able to access their mobile banking app …
John Leyden, 19 Feb 2015
Lock security

Check Point buys bare-metal security upstart Hyperwise

Check Point has pounced early to buy up stealth-mode security startup Hyperwise, which does sandboxing on the CPU itself rather than in the OS. Financial terms of the deal, announced on Wednesday, were not disclosed. Israel-based Hyperwise’s CPU level threat prevention technology is designed to throttle malware-based attacks at …
John Leyden, 18 Feb 2015
Barack Obama in the Oval Office

Obama turns back on spooks: 'I'm on the side of strong encryption'

+Vid US President Barack Obama has come out forcefully in favour of strong encryption despite the opposition of his intelligence establishment. Encryption has been a hot topic over recent weeks with Western law enforcement and intelligence agencies complaining about encryption-by-default in modern communication tools such as …
John Leyden, 18 Feb 2015
cookies_eyes_privacy evercookies flash cookies

A cookie with a 7,984-year lifespan. Blimey, Roy Batty only got 4!

A cookie can last 7,984 years, according to new international privacy study, far out-lasting the operational usefulness of the device (or human user presumably). The idea that some of the small files stored on a device when it is used to visit a website are programmed, to last at least as long (if not far longer) than the …
John Leyden, 18 Feb 2015
Blade Runner screenshot

Samsung's spying smart TVs don't encrypt voice recordings sent over the internet – new claim

Updated Not only is your Samsung smart TV snooping on what you say, it sends recordings of your voice over the internet unencrypted – leaving it open to eavesdropping and mischief – security researchers say. Samsung insisted last week that its TV voice-control technology isn't half as creepy as its terms and conditions suggested. But …
John Leyden, 17 Feb 2015

Boffins now one step closer to male birth control pill

Boffins are developing two new methods for birth control that may eventually lead to the availability of a “male pill”. H2-gamendazole, an organic compound that prevents sperm from reaching maturity, is going through animal testing. Sperm cells grow a tail and head in the testis, but H2-gamendazole blocks this metabolic process …
John Leyden, 17 Feb 2015

Israeli gov & boffins targeted by pr0ntastic malware from Gaza

Hackers from Gaza and Egypt appear to have teamed up in order to attack Israeli government, research, infrastructure and military networks. Security researchers at Trend Micro have traced ongoing malware-based attacks against Israeli organisations back to Gaza. Trend have uncovered two separate, but interconnected campaigns. …
John Leyden, 16 Feb 2015
Angry woman on mobile

WhatDaHell, WhatsApp? Student claims 'stalker' tool shows security flaws

A newly discovered security flaw in WhatsApp allows anyone to track a user’s status, regardless of their privacy settings, a student claims. The same bug also lifts the kimono on profile picture and privacy settings - in default settings only - and status messages regardless of privacy settings. Maikel Zweerink, a Dutch …
John Leyden, 16 Feb 2015
Violin

Violin-fiddling boffins learn that 'F-HOLES' are secret to Stradivarius' SUPERIOR sound

Scientists have identified the design features that boost the acoustic power of violins. Italian workshops of master violin-making families (such as Stradivari) produced increasingly powerful instruments in the renaissance and baroque musical eras during the 17th and 18th centuries, the so-called Cremonese era. Advances in the …
John Leyden, 15 Feb 2015
Xbox Live

Microsoft: Oh, go on, Xbox Live user. Show us your spammer

The hugely annoying nuisance that has plagued email for decades has found its way into gaming, most recently spreading to affect their mobile and instant messaging experiences. Spammers are affecting online gaming, with Xbox users in particular reporting an increase in spam reaching them from multiple gamertags. In response …
John Leyden, 13 Feb 2015
Warwick Hospital accident and emergency

KUSHINIKIZA! Google Translate SAVES BABY in Irish roadside birth

Quick-thinking Irish paramedics turned to Google Translate to communicate with a pregnant woman who spoke Swahili, allowing her to safely give birth. The Cork ambulance drivers were transporting a pregnant Congolese woman to a maternity hospital last week when she went into labour. Gerry McCann and Shane Mulcahy were forced to …
John Leyden, 13 Feb 2015
Punk-styled girl with piercing gazes at an apple

Gullible Apple users targeted by bogus order cancellation scam

Cybercrooks are targeting Apple iCloud users with phishing messages designed to steal financial information. A new run of spam messages offer a slight twist on the popular ”bogus order" scam. Instead of simply telling you about a payment you're supposed to have made, prospective marks are invited to cancel a transaction already …
John Leyden, 13 Feb 2015
Taxi Driver

Uber: Sorry we're really awesome and all that (oh yeah, and for leaking your personal info)

Taxi cab app maker Uber left its list of customers' lost belongings wide open to the internet – exposing phone numbers and other personal info in the process. The privacy snafu, revealed and corrected this week, marks the latest controversy for the San Francisco-headquartered upstart. Vice reports the internal Uber document was …
John Leyden, 13 Feb 2015
Clog dancers. image via shutterstock http://www.shutterstock.com/pic-138156878/

Dutch government websites KO'd by 10-hour DDoS

The Netherlands government’s websites were taken offline for around 10 hours on Wednesday following a DDoS attack. The motive for the sustained packet-flinging assault – directed against the Dutch government website's hosting provider, Prolocation – remains unclear. A brief statement (Google translation here) by the Dutch …
John Leyden, 12 Feb 2015
Petrol behind bars in Willowra

Anonymous HACKED GAS STATIONS - and could cause FUEL SHORTAGES

Hackers – possibly affiliated with Anonymous – have already attacked at least one internet-connected gas (petrol) station pump monitoring system. Evidence of malfeasance, uncovered by Trend Micro, comes three weeks after research about automated tank gauge vulnerabilities from Rapid7, the firm behind Metasploit. Automated tank …
John Leyden, 11 Feb 2015
His master's voice

Never mind, Samsung, GOOGLE will EAVESDROP as you browse on Chrome

Those uneasy about Samsung's "smart" television terms and conditions are going to have a nervous wobble about a project along the same lines underway at Google’s Chocolate Factory. The realisation that anything spoken near your Smart TV might be recorded and transmitted to a third party is bad enough, but how about the …
John Leyden, 11 Feb 2015

Facebook: Hey guys, come share all your securo-blunders with us!

Facebook is teaming up with other big names on the interwebs to create a security information sharing portal, dubbed ThreatExchange*, which went live on Wednesday. ThreatExchange is billed as a platform that enables security professionals to “share threat information more easily, learn from each other's discoveries, and make …
John Leyden, 11 Feb 2015
android tongue

Silent but violent: Foul Google Play flaw lets hackers emit smelly apps

A couple of related vulnerabilities on the Google Play Store have left Android users vulnerable to malware-slingers. Security watchers warn that an X-Frame-Options flaw – when combined with a recent Android WebView (Jelly Bean) bug – creates a means for hackers to silently install any app from the Google Play store. Tod …
John Leyden, 11 Feb 2015
Smart home

Internet of Thieves: All that shiny home security gear is crap, warns HP

In a recent study, every connected home security system tested by HP contained significant vulnerabilities, including but not limited to password security, encryption, and authentication issues. HP's Fortify on Demand security service assessed the top 10 home security devices – such as video cameras and motion detectors – along …
John Leyden, 10 Feb 2015
Sad Anonymous

Anonymous loose cannon admits DDoSing social services and housing websites

A middle-aged Briton has admitted running a series of debilitating denial of service attacks against social services, social housing and crime prevention websites. Ian Sullivan, 51, of Bootle, Merseyside, also admitted responsibility for a series of Distributed Denial of Service (DDoS) attacks against private sector firms, …
John Leyden, 10 Feb 2015

ACHTUNG! Scary Linux system backdoor turns boxes into DDoS droids

Cybercrooks have cooked up a backdoor for Linux-powered systems that boasts multiple malicious functions. The Swiss Army Knife-style malware – dubbed Xnote.1 by Russian anti-virus company Doctor Web – can be used as a platform to mount distributed denial-of-service attacks and other evil activities. To spread the software nasty …
John Leyden, 10 Feb 2015

Keyless vehicle theft suspects cuffed after key Met Police, er, 'lockdown'

Police have arrested 16 suspects on suspicion of car theft during the first week of an operation targeting keyless vehicle theft. Operation Endeavour was launched by the Metropolitan Police in response to a rise in theft of motor vehicles. Organised criminals increasingly stealing keyless vehicles using a device which bypasses …
John Leyden, 10 Feb 2015

Start stockpiling tinned beans and ammo: This malware will end civilisation

Media hype is affecting vendors’ patching strategies to the detriment of internet security, vulnerability management firm Secunia warns. The high-profile Heartbleed OpenSSL vulnerability triggered the mass patching of 600 products by more than 100 vendors within just 40 days. A further OpenSSL vulnerability from June 2014 led to …
John Leyden, 06 Feb 2015
Wifi grumpy cat

Japan's death threat hacker collared ... BY A CAT

A Japanese hacker who hijacked computers using malware before issuing death threats through the compromised machines has been jailed for eight years. Yusuke Katayama, 32, threatened to blow up planes and attack a kindergarten attended by the grandchildren of Japan's Emperor Akihito before he was finally nabbed in February 2013 …
John Leyden, 05 Feb 2015

Forget Norks, Russian hackers are in Sony Pictures' servers – claim

There's a new twist in the already tangled tale of the Sony Pictures mega-hack: it's now claimed Russians possibly broke into the company's computers. Miscreants in the Putin-led nation comprehensively compromised the Hollywood studio's servers, and were responsible for most of the damage against its systems, reckons Jeffrey …
John Leyden, 04 Feb 2015

Sage Pay anti-POODLE upgrade REDUCED security - briefly

Online payment service Sage Pay has been fingered for temporarily reducing its security while revamping its site security. Security consultant Paul Moore noticed that the Sage Pay website was briefly running a weak cipher last week. The issue was quickly corrected after Moore went public with his concerns on Tuesday. He …
John Leyden, 04 Feb 2015
Troll in cross hairs

Wanted: Brit Facebook and Twitter trolls for counter-jihad psyops

A new British Army unit will embrace web-enabled psyops and cyber-warfare to fight against the message of groups such as ISIS in cyberspace. The 77th Brigade is due to launch in April with 1,500 personnel, including regular soldiers, sailors and airmen as well as part-time reservists. Desirable skills for would-be recruits …
John Leyden, 04 Feb 2015
Privacy image

Germany's BND muscles in on metadata mass surveillance

Germany's external spy agency saves tens of millions of phone records every day, according to leaked files that expose its NSA-style mass surveillance programme for the first time. The Bundesnachrichtendienst, or BND, Germany's foreign intelligence agency, collects metadata on 220 million calls every day, with at least some of …
John Leyden, 04 Feb 2015

Zimmermann slams Cameron’s ‘absurd’ plans for crypto ban

Crypto pioneer Phil Zimmermann has labelled UK Prime Minister David Cameron’s anti-encryption plans as "absurd". Zimmermann, creator of the PGP email privacy package, countered Cameron's argument that encryption is creating a means for terrorists and child abusers to communicate in private, arguing instead that intelligence …
John Leyden, 03 Feb 2015
Mouse man

DARPA: We KNOW WHO YOU ARE... by the WAY you MOVE your MOUSE

The US's mad-tech military boffin unit is developing a form of biometric measurement based on how user handles a mouse. Behaviour-based biometrics, for example how a computer user handles their mouse or crafts an email, would add to the existing repertoire of authentication techniques. Existing authentication techniques include …
John Leyden, 03 Feb 2015
Pinky and the Brain

New claim: D-Link router exposes unprotected config controls to web – DNS hijackers, ahoy!

D-Link router DSL-2740R, and possible more like it, are allegedly vulnerable to DNS hijacking – which hackers can exploit to lure victims to dodgy websites and servers. According to Bulgarian security researcher Todor Donev, the flaw lies in certain builds of ZyXEL's ZynOS firmware, which is used in network hardware from TP-Link …
John Leyden, 02 Feb 2015
Adobe Flash installer

Trouble comes in threes: Yet ANOTHER Flash 0-day vuln patch looming

Adobe plans to patch Flash yet again after yet another zero-day vulnerability in the web video software leaves PCs prone to hijacking. The PSA15-02 security advisory details a security hole that hackers are already exploiting to compromise vulnerable systems. An upcoming update to squash the critical bug makes it three patches …
John Leyden, 02 Feb 2015
Close-up of a woman's lips, slightly pixelated as if on a CRT TV. http://www.sxc.hu/photo/20984  Pic via SXC - no restrictions

Fake hottie hackers flung info-slurping malware at Syrian opposition – FireEye

Cyberspies used social engineering trickery to steal Syrian opposition’s strategies and battle plans, according to security researchers. Hackers employed a familiar tactic: ensnaring victims through conversations with seemingly sympathetic and attractive women. As the conversations progressed onto Skype chats, the “women” would …
John Leyden, 02 Feb 2015

Teen whiz exposes WhatsApp profile pic privacy blunder bug

A privacy hole in WhatsApp allowed anyone to view someone else's profile photo – even if a user had configured the mobile messenger app to only show their pic to their contacts. The privacy slip-up, which came with the debut of WhatsApp’s newly-introduced web interface at web.whatsapp.com, was discovered by 17-year-old security …
John Leyden, 30 Jan 2015
Broken CD with wrench

UK official LOSES Mark Duggan shooting discs IN THE POST

Discs containing information from three sensitive police inquiries – two of which involved‪ highly controversial shootings in London, including that of Mark Duggan – ‬have gone missing after being sent through the post. Yeah, you read that right: sent through the post. The information covers probes into the role of the police in …
John Leyden, 30 Jan 2015
Grindr

Wham, bam... premium rate scam: Grindr users hit with fun-killing charges

Malicious ads from third parties have been piggy-backing on the gay dating app Grindr to run a premium rate number scam. Grindr blamed a third-party network for pushing the dodgy advert, which was withdrawn after representations from El Reg. We learned of the apparent scam after hearing from Tom, a UK-based Grindr user. "The …
John Leyden, 30 Jan 2015

What do China, FBI and UK have in common? All three want backdoors in Western technology

The Chinese government wants backdoors added to all technology imported into the Middle Kingdom as well as all its source code handed over. Suppliers of hardware and software must also submit to invasive audits, the New York Times reports. The new requirements, detailed in a 22-page document approved late last year, are …
John Leyden, 29 Jan 2015

Snowden reveals LEVITATION technique of Canada’s spies

Canada's very own intel agency has a program designed to track millions of downloads, according to the latest revelations from the Edward Snowden document leaks. The "Levitation" system gives analysts at the Communications Security Establishment (Canada's NSA) data on between 10-15 million uploads and downloads of files from …
John Leyden, 29 Jan 2015