John Leyden

Contact Mail Follow Twitter RSS feed
virus_1_648

Want to download free AV software? Don't have a Muslim name

Exclusive Software export controls are being applied to blacklisted people as well as countries: and these controls apply to routine security packages such as freebie antivirus scanning software, as well as more sensitive technologies, El Reg has concluded. We've come to this way of thinking after investigating why Reg reader Hasan Ali …
John Leyden, 07 Aug 2015

Oh no ZigBee, as another front opens on home networking insecurity

Black Hat 2015 Security researchers have exposed new flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices. Implementations of ZigBee in home networks requires that an insecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take …
John Leyden, 06 Aug 2015

Android faces SECOND patching crisis, on the same scale as Stagefright

Hours after Google and smartphone makers promised an imminent patch for the infamous Stagefright vulnerability another critical flaw in Android is being outed. The “Certifi-gate” vulnerability allows applications to gain illegitimate privileged access rights, typically reserved for remote support applications that are either …
John Leyden, 06 Aug 2015
Tesla's big saloon out-performs sports cars

Popping the Tesla S bonnet – to reveal SIX NEW FLAWS

Security researchers have uncovered six fresh vulnerabilities with the Tesla S. Kevin Mahaffey, CTO of mobile security firm Lookout, and Cloudflare’s principal security researcher Marc Rogers, discovered the flaws after physically examining a vehicle before working with Elon Musk’s firm to resolve security bugs in the electric …
John Leyden, 06 Aug 2015
Eve in the Garden of Eden talking to a rather angry God on Snapchat

Hacking Team brewed potent iOS poison for non-jailbroken iThings

Hacking Team compromised non-jailbroken iOS devices using a variant of last year’s Masque Attack, in which Apple devices were infected via emails and text messages. That's according to a study of the 400GB of documents that were pilfered from the Italian snoop-ware maker's computers by hackers, and leaked online for all to see …
John Leyden, 06 Aug 2015

Major web template flaw lets miscreants break out of sandboxes

Black Hat 2015 A serious fresh category of web security vulnerability creates the potential for all sorts of mischief, security researchers warn. Template engines are widely used by web applications in order to present dynamic data via web pages and emails. The technology offers a server-side sandbox. The commonplace practice of allowing …
John Leyden, 05 Aug 2015
oneweb

I could spoof Globalstar satellite messages, boasts infosec bod

Black Hat 2015 Intercepting and spoofing satellite communications carried over the Globalstar network is possible with modest technical skills and an investment of just $1,000, according to new research due to be unveiled at Black Hat. Globalstar is downplaying the threat, stating that its system isn’t getting hacked. Globalstar's consumer- …
John Leyden, 05 Aug 2015
Privacy image

Websites that ID you by how you type: Great when someone's swiped your password, but...

Debate is raging over the discovery that simple web browser extensions can defeat behavior-based biometric technologies. (In this case, behavior-based biometric technologies is a fancy way of saying JavaScript that profiles how people type so that they can be identified the next time they get behind the keyboard.) Passive …
John Leyden, 03 Aug 2015

‘Secure’ criminal justice email system relies on obsolete protocols

The Criminal Justice Secure eMail system (CJSM) relies on insecure protocols that some security conscious organisations deliberately block, claims a Register source. CJSM is run by Vodafone on behalf of the government and designed to provide secure communications between the GSI (Government Secure Intranet) and external …
John Leyden, 03 Aug 2015

Bitdefender feeling a bit tender: Hackers enter anti-distemper vendor

One or more miscreants have been able to slurp and leak usernames and passwords from Bitdefender. The unencrypted login details belonged to some of the security biz's small business customers. Bitdefender, which makes antivirus software and other stuff, admitted its system was breached following rumors (here and here) that …
John Leyden, 31 Jul 2015
Japan

US spied on Japanese PM Abe, Mitsubishi, and so much more

The NSA spied on Japan's prime minister, central bank, finance ministry and major corporations, such as the natural gas division of Mitsubishi, according to documents released today. The targets of the cyber-spying included stealing secrets on US-Japan relations, trade negotiations and climate change policy. Fruits of the …
John Leyden, 31 Jul 2015

Derelict TrueCrypt Russia portal 'is command hub for Ukraine spying op'

Malware used to attack Ukrainian government, military, and major news agencies in the country, was distributed from the Russian portal of encryption utility TrueCrypt, new research has revealed. Security peeps at ESET discovered a connection to a Russian version of the now discontinued popular source-is-available encryption …
John Leyden, 30 Jul 2015
Moments of perspiration

Chinese hackers behind OPM megabreach also pwned United Airlines

United Airlines was hacked by same Chinese group that also breached health insurer Anthem and the US government’s Office of Personnel Management (OPM). Hackers stole flight manifests from United Airlines in May or early June, exposing the names of people on many different flights in the process, after earlier making off with …
John Leyden, 30 Jul 2015
Internet of Things book cover

Strong ARM scoops up Sansa to boost IoT security

Chipmaker ARM has sealed a deal to buy Israeli Internet of Things (IoT) security specialist Sansa Security. Financial terms of the deal, announced Thursday, were not officially disclosed. However, the WSJ previously reported that around $75m-$85m was on the table. ARM makes the chips that power the majority of the world’s …
John Leyden, 30 Jul 2015
spies_648

Be wary of that Russian. He might HAMMERTOSS a software nasty at you

Security researchers have blown the lid on another Russian cyberspy crew, rated as the most sophisticated yet by security firm FireEye. APT29 – which has only been operational since around the end of last year – uses a strain of malware called Hammertoss. "The group has demonstrated an understanding of network defenders’ …
John Leyden, 29 Jul 2015
You seen him? Hasidim

How to quietly slurp sensitive data wirelessly from an air-gapped PC

Israeli academics have demonstrated how feature-phones can use GSM radio frequencies to wirelessly siphon data from infected "air-gapped" computers. Air-gapped computers are those kept physically isolated from other networks as a safeguard against hacking. The work by researchers at the Ben-Gurion University of the Negev (BGU …
John Leyden, 29 Jul 2015
Cash in brown paper envelope CC 2.0 attribution StockMonkeys.com

A third of workers admit they'd leak sensitive biz data for peanuts

A third of employees would sell information on company patents, financial records and customer credit card details if the price was right. A poll of 4,000 employees in the UK, Germany, USA and Australia found that for £5,000, a quarter would flog off sensitive data, potentially risking both their job and criminal convictions …
John Leyden, 29 Jul 2015
Bank vault

Are smart safes secure? Not after we've USB'd them, say infosec bods

Vulnerabilities in “intelligent cash safe service” Brink's CompuSafe's cash management produces will be demonstrated at the Def Con hacker conference in Las Vegas next week. Brink's CompuSafe offers a “smart safe as a service” technology to major retailers and fast food franchises. This smart safe can communicate how much …
John Leyden, 28 Jul 2015

Windows 10 in head-on crash with Nvidia drivers as world watches launch

Microsoft's automatic updates feature in Windows 10 has collided with Nvidia's driver system, sending the new operating system off the rails as it launches. Early adopters are experiencing glitches (particularly in multi-monitor setups), and in some cases crashes, all triggered when Windows 10 automatically updates its …
John Leyden, 28 Jul 2015
Panic button

Biometric behavioural profiling: Fighting that password you simply can't change

Security researchers have developed a browser extension that supposedly defeats biometrics based on typing patterns, with the exercise designed, in part, to promote greater awareness about the emerging technology and the privacy risk it might pose. Biometric behavioural profiling allows a site to collect metadata about how a …
John Leyden, 28 Jul 2015
backdoor_648

Unhinged Linux backdoor still poses a nuisance, if not a threat

Internet Igors have stitched together a new Linux backdoor. Fortunately for internet hygiene the botnet agent – which packs a variety of powerful features – is faulty and only partially functional. The backdoor, dubbed Dklkt-1 was designed to be a cross-platform nasty capable of infecting both Windows and Linux machines. …
John Leyden, 27 Jul 2015
Screenshot of Chrome's "Aw, snap!" error message

Google burnishes Chrome to patch over 43 bugs

Google has pushed out a new cross-platform version of Chrome that fixes no less than 43 security bugs. Chrome version 44.0.2403.89 for Windows, Mac and Linux addresses 12 potentially “high-impact flaws”, several of which revolve around buffer overflow bugs. A pair of universal cross-site scripting bugs also rate towards the …
John Leyden, 24 Jul 2015
car hacking

Jeep breach: Scared? You should be, it could be you next

Other vehicles may be at risk from hacking following the Jeep Cherokee incident, according to one of the two researchers who pioneered the spectacular auto exploit. Renowned car security researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee over a mobile network and found a way to control critical …
John Leyden, 24 Jul 2015
broken_car_window_648

Now car hackers can bust in through your motor's DAB RADIO

Car brakes and other critical systems can be hacked via car infotainment systems, security researchers at NCC Group have revealed. The ingenious hack, demonstrated in an off-road environment, works by sending attack data via digital audio broadcasting (DAB) radio signals. This is similar to a hack that allowed security …
John Leyden, 24 Jul 2015

Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …
John Leyden, 23 Jul 2015
band_aid_648

Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details. All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows …
John Leyden, 23 Jul 2015
shutterstock_282226826-Internet-of-things

Cyber poltergeist threat discovered in Internet of Stuff hubs

New security research has revealed a whole new area of concerns for the soon-to-be-everywhere Internet of Things – smart home hubs. Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – can be dangerously vulnerable to attack, according to security tools firm TripWire. Craig Young, a …
John Leyden, 23 Jul 2015

Hark, the Hacking Team angels sing, it’s not us who’ve actually sinned

The Hacking Team pushed out a new statement on Wednesday, moaning that the only victim of the mega-breach against its systems is Hacking Team itself. Eric Rabe, the firm's chief marketing and communications officer, complained that the controversial outfit is “being treated as the offender, and the criminals who attacked the …
John Leyden, 22 Jul 2015

Ashley Madison invites red-faced cheats to bolt stable door for free

Adulterous hook-up site Ashley Madison is allowing all members to fully delete their profiles without charge in the aftermath of a serious data breach that threatens the site' future. Previously, if users wanted to delete their records (profile, pictures and messages sent through the system) they were obliged to pay around $20 …
John Leyden, 21 Jul 2015
Laurel and Hardy on the phone

Scammers going after iOS as fake crash reports hit UK

Tech support scammers have begun targeting UK iPhone and iPad users, offering to fix problems that don't actually exist. Cold call scams that seek to hoodwink Windows users into paying for useless remote diagnostic and cleanup services have been an issue for years. More recently, scammers have broadened their sights to target …
John Leyden, 21 Jul 2015
drone

Spyware-spewing Wi-Fi drone found on Hacking Team, Boeing's to-do list

Leaked emails have exposed plans by Hacking Team and a Boeing subsidiary to deliver spyware via drones for sale to government agencies. The scheme proposed the use of unmanned aerial vehicles (UAVs or drones) to deliver Hacking Team's Remote Control System Galileo spyware via Wi-Fi networks from above. Boeing subsidiary Insitu …
John Leyden, 20 Jul 2015

Norton for Windows 10 is NOT a box-borking beta, insists Symantec

A recent update to Norton designed to add compatibility for Windows 10 is incompatible with mainstream Windows releases, according to some users. Symantec is denying that these issues are anything worse than teething problems, although this has so far failed to placate critics. Users are loudly complaining about borked Win 8. …
John Leyden, 20 Jul 2015
Android icon desktop toys

Fragmented Android development creating greater security risks

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned. The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in …
John Leyden, 20 Jul 2015
Blackmail

Ashley Madison hack: Site for people who can't be trusted can't be trusted

Ashley Madison, a popular website for married people wishing to cheat on their other halves, has been hacked with obviously serious implications for those whose details it held. Previously unknown hacking group The Impact Team posted online caches of personal data stolen from the website, whose motto is "Life is short. Have an …
John Leyden, 20 Jul 2015
Files in manager's desk drawers: manila folder marked "Redundancies". Image via shutterstock

Password manager Mitro will shutter itself on 31 August

Password manager service ‪Mitro‬ is to shut down permanently from the end of August. The announcement comes just less than twelve months after Mitro was acquired by Twitter for an undisclosed amount. Mitro open sourced its server and client software through GitHub at the same time in late July 2014. Mitro's team joined …
John Leyden, 17 Jul 2015

Thunder-faced Mozilla lifts Flash Firefox block after 0-days plugged

Mozilla has lifted its blanket block on Flash in Firefox following the release of security updates by Adobe on Tuesday. Although the short-term block has been lifted, the whole flap appears to have re-energised efforts at Mozilla to work on Flash alternatives. The block – imposed on Monday – meant that all versions of Flash …
John Leyden, 16 Jul 2015
Flipside RFID-shielded wallet

Your security is just dandy, Apple Pay, but here comes Android

Analysis Most security experts estimate that the security offered within (and by) Apple Pay is superior to that seen in existing contactless credit or debit card systems. However, the success of the technology in the UK may well depend more on commercial factors than anything else, with one payments expert warning that merchants fees …
John Leyden, 16 Jul 2015
LG electronics US export photo from 1962

Infosec bigwigs rally against US cyber export control rule

Infosec heavyweights are uniting to oppose US government proposals to tighten up export controls against software exploits, a move critics argue threatens to imperil mainstream security research and information sharing. The proposed regulation, based on the Wassenaar Arrangement of 1996 and not originally intended to include …
John Leyden, 15 Jul 2015

Malwarebytes slurps startup, hopes to belch out Mac malware zapper

Security software firm Malwarebytes is moving into the Mac security software market with the acquisition of a start-up and the launch of its first anti-malware product for Apple computers. Malwarebytes Anti-Malware for Mac is designed to detect and remove malware, adware, and PUPs (potentially unwanted programs). The release …
John Leyden, 15 Jul 2015

GET PATCHED: Adobe plugs Hacking Team Flash holes and more

Adobe has released patches for its Flash software to fix a pair of critical security vulnerabilities exposed by the Hacking Team megabreach. The bugs can be exploited to hijack PCs and infect them with malware – and crooks are already doing just that, so apply the updates now. The security bulletin for Adobe Flash Player ( …
John Leyden, 14 Jul 2015
Connected headset

Tour de France leader's cycling data may have been hacked by doping critics

Professional cycling outfit Team Sky fears critics of team member and current Tour de France leader Chris Froome may have hacked into its systems and stolen training data. Froome's detractors have previously used power data in alleging the cyclist was using performance-enhancing drugs. The 30-year-old, who has always insisted …
John Leyden, 14 Jul 2015
Asus Z97-A UEFI BIOS

Hacking Team spyware rootkit: Even a new HARD DRIVE wouldn't get rid of it

‪Hacking Team RCS spyware came pre-loaded with an UEFI (‬Unified Extensible Firmware Interface) ‪BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.‬ The stealth infection tactic, which has been revealed through leaked emails arising from last …
John Leyden, 14 Jul 2015

Mozilla loses patience with Flash over Hacking Team, BLOCKS it

Mozilla has temporarily blocked Flash in Firefox while waiting for Adobe to release patches to fix yet more serious security holes in the Swiss-cheese-like plugin. These holes can be exploited by criminals to hijack PCs and infect them with malware; details of the bugs emerged from leaked Hacking Team files. Firefox began …
John Leyden, 14 Jul 2015
Range Rover. Credit: David Guo

Sixty-five THOUSAND Range Rovers recalled over DOOR software glitch

Jaguar Land Rover is recalling no less than 65,000 of its SUVs due to a software problem that caused the cars' doors to unlock themselves - potentially while in motion. The issue, which potentially creates a heightened theft-by-hijack risk, affects Range Rover and Range Rover Sport vehicles sold in the UK over the last two …
John Leyden, 14 Jul 2015
Traffic in Saigon. Pic: "M M"

Hacking Team's snoopware 'spied on anti-communist activists in Vietnam'

Security researchers are linking malware sent to anti-communist activists in Vietnam to controversial commercial spyware firm Hacking Team. The assault dating from 2012-13 appears to use Hacking Team's MSN+Skype tabs, according to preliminary analysis by MalwareMustDie. ‪"‬It seems their govt bought such solution as toolset …
John Leyden, 13 Jul 2015

Brit teen who unleashed 'biggest ever distributed denial-of-service blast' walks free from court

An 18-year-old Brit dubbed a hacker-for-hire has been spared jail after launching crippling denial-of-service attacks against anti-spam outfit Spamhaus. At one point, the assault in early 2013 reached 300Gbps, somewhat straining the London Internet Exchange (LINX) and other interconnects. Seth Nolan-Mcdonagh, of Stockwell, …
John Leyden, 10 Jul 2015

Papa don't breach: Wannabe singer jailed for hacking Madonna

An aspiring-singer-turned-hacker has been jailed for accessing Madonna's online accounts and stealing her unreleased music tracks. Adi Lederman, 39, had unsuccessfully appeared on Israel’s Kochav Nolad TV talent show before breaking into Team Madonna's email inbox and cloud-based systems last year to steal photographs and …
John Leyden, 10 Jul 2015

Feared OpenSSL vulnerability gets patched, forgery issue resolved

The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol. Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory …
John Leyden, 09 Jul 2015
Pwned

UK politicos easily pwned on insecure Wi-Fi networks

The well-understood risk of insecure, public Wi-Fi networks has been graphically illustrated with demonstration hacks against three prominent UK politicians. The pen-testing style experiment demonstrates the ease with which email, finance and social networking details can be stolen while using free Wi-Fi in cafes, hotels and …
John Leyden, 09 Jul 2015

Apple and MS attackers Wild Neutron return with fresh run of attacks

Hackers linked to attacks against Apple, Microsoft, Twitter and Facebook in early 2013 are back in business, with a fresh run of ongoing attacks against a more diverse and extensive range of businesses over recent months. The so-called Wild Neutron hacking crew have attacked law firms, Bitcoin-related companies, investment …
John Leyden, 08 Jul 2015