John Leyden

Contact Mail Follow Twitter RSS feed

Misconfigured Big Data apps are leaking data like sieves

More than a petabyte of data lies exposed online because of weak default settings and other configuration problems involving enterprise technologies. Swiss security firm BinaryEdge found that numerous instances of Redis cache and store archives can be accessed without authentication. Data on more than 39,000 MongoDB NoSQL …
John Leyden, 13 Aug 2015

It's not just antivirus downloads that have export control screening

Export control screening for individuals hoping to purchase everyday consumer technologies extends beyond just antivirus software downloads, according to several sources contacted by The Register. Those who share the name of someone on a blacklist have to go through secondary screening (a bureaucratic process generally …
John Leyden, 13 Aug 2015

Wanna harvest a stranger's Facebook data? Get a mobile number and off you go

Hackers and other miscreants are able to access names, telephone numbers, images and location data in bulk from Facebook, using only a cellphone number. The loophole was revealed by software engineer Reza Moaiandin. Moaiandin, technical director at UK-based tech firm, exploited a little-known privacy setting in a …
John Leyden, 12 Aug 2015

Patching a fragmented, Stagefrightened Android isn't easy

Android users face a triple patching headache with the recent discovery of a collection of serious vulnerabilities affecting smartphones and tablets running Google's mobile operating system. Security experts warn that the fragmented nature of Android devices will make patching more difficult than it would be in updating PCs. …
John Leyden, 12 Aug 2015

Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant

Updated While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse. Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike …
John Leyden, 11 Aug 2015

Hackers hid Carphone Warehouse breach with DDoS smokescreen – report

Hackers reportedly swamped Carphone Warehouse with junk traffic as a smokescreen, before breaking into systems and stealing the personal details of 2.4m customers. Up to 90,000 customers may also have had their encrypted credit card details accessed, the UK-based mobile phone reseller admitted at the weekend. Customers with …
John Leyden, 11 Aug 2015

You'll LITERALLY PAY for getting tricked into visiting these scam sites

Update Cyber-crooks have latched on to online scams that exploit direct-to-bill payment options. Security biz Malwarebytes warns that crooks are tricking users into visiting mobile sites containing code that charges users via their mobile number. Victims are corralled through a complex series of pop-up adverts to a fly-by-night web …
John Leyden, 11 Aug 2015

Bunitu botnet crooks sell your unencrypted VPN traffic for £££

Cyber-crooks behind the Bunitu botnet are selling access to infected proxy bots as a way to cash in from their network. Users (some of whom may themselves be shady types, as explained below) who use certain VPN service providers to protect their privacy are blissfully unaware that back-end systems channel traffic through a …
John Leyden, 11 Aug 2015

Apple splashes dough to keep Big Cheese safe

Apple spends $699,133 every year to keep chief exec Tim Cook safe, far, far higher than his modest life insurance premium of $2,500, according to an official document. The big figure isn't broken down and comes from a proxy statement filed with the Securities and Exchange Commission. This amount represents: (i) the Company’s …
John Leyden, 10 Aug 2015

Tobacco field bacteria offers hope for buzz-kill smoking therapy

Help may soon be at hand for those who have tried and failed to quit smoking, thanks to a bacterium that guzzles down nicotine. Chemistry boffins reckon the organism may hold the key to a future anti-smoking therapy. An enzyme from the Pseudomonas putida bacterium – originally isolated from soil in a tobacco field – consumes …
John Leyden, 07 Aug 2015

Want to download free AV software? Don't have a Muslim name

Exclusive Software export controls are being applied to blacklisted people as well as countries: and these controls apply to routine security packages such as freebie antivirus scanning software, as well as more sensitive technologies, El Reg has concluded. We've come to this way of thinking after investigating why Reg reader Hasan Ali …
John Leyden, 07 Aug 2015

Oh no ZigBee, as another front opens on home networking insecurity

Black Hat 2015 Security researchers have exposed new flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices. Implementations of ZigBee in home networks requires that an insecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take …
John Leyden, 06 Aug 2015

Android faces SECOND patching crisis, on the same scale as Stagefright

Hours after Google and smartphone makers promised an imminent patch for the infamous Stagefright vulnerability another critical flaw in Android is being outed. The “Certifi-gate” vulnerability allows applications to gain illegitimate privileged access rights, typically reserved for remote support applications that are either …
John Leyden, 06 Aug 2015
Tesla's big saloon out-performs sports cars

Popping the Tesla S bonnet – to reveal SIX NEW FLAWS

Security researchers have uncovered six fresh vulnerabilities with the Tesla S. Kevin Mahaffey, CTO of mobile security firm Lookout, and Cloudflare’s principal security researcher Marc Rogers, discovered the flaws after physically examining a vehicle before working with Elon Musk’s firm to resolve security bugs in the electric …
John Leyden, 06 Aug 2015
Eve in the Garden of Eden talking to a rather angry God on Snapchat

Hacking Team brewed potent iOS poison for non-jailbroken iThings

Hacking Team compromised non-jailbroken iOS devices using a variant of last year’s Masque Attack, in which Apple devices were infected via emails and text messages. That's according to a study of the 400GB of documents that were pilfered from the Italian snoop-ware maker's computers by hackers, and leaked online for all to see …
John Leyden, 06 Aug 2015

Major web template flaw lets miscreants break out of sandboxes

Black Hat 2015 A serious fresh category of web security vulnerability creates the potential for all sorts of mischief, security researchers warn. Template engines are widely used by web applications in order to present dynamic data via web pages and emails. The technology offers a server-side sandbox. The commonplace practice of allowing …
John Leyden, 05 Aug 2015

I could spoof Globalstar satellite messages, boasts infosec bod

Black Hat 2015 Intercepting and spoofing satellite communications carried over the Globalstar network is possible with modest technical skills and an investment of just $1,000, according to new research due to be unveiled at Black Hat. Globalstar is downplaying the threat, stating that its system isn’t getting hacked. Globalstar's consumer- …
John Leyden, 05 Aug 2015
Privacy image

Websites that ID you by how you type: Great when someone's swiped your password, but...

Debate is raging over the discovery that simple web browser extensions can defeat behavior-based biometric technologies. (In this case, behavior-based biometric technologies is a fancy way of saying JavaScript that profiles how people type so that they can be identified the next time they get behind the keyboard.) Passive …
John Leyden, 03 Aug 2015

‘Secure’ criminal justice email system relies on obsolete protocols

The Criminal Justice Secure eMail system (CJSM) relies on insecure protocols that some security conscious organisations deliberately block, claims a Register source. CJSM is run by Vodafone on behalf of the government and designed to provide secure communications between the GSI (Government Secure Intranet) and external …
John Leyden, 03 Aug 2015

Bitdefender feeling a bit tender: Hackers enter anti-distemper vendor

One or more miscreants have been able to slurp and leak usernames and passwords from Bitdefender. The unencrypted login details belonged to some of the security biz's small business customers. Bitdefender, which makes antivirus software and other stuff, admitted its system was breached following rumors (here and here) that …
John Leyden, 31 Jul 2015

US spied on Japanese PM Abe, Mitsubishi, and so much more

The NSA spied on Japan's prime minister, central bank, finance ministry and major corporations, such as the natural gas division of Mitsubishi, according to documents released today. The targets of the cyber-spying included stealing secrets on US-Japan relations, trade negotiations and climate change policy. Fruits of the …
John Leyden, 31 Jul 2015

Derelict TrueCrypt Russia portal 'is command hub for Ukraine spying op'

Malware used to attack Ukrainian government, military, and major news agencies in the country, was distributed from the Russian portal of encryption utility TrueCrypt, new research has revealed. Security peeps at ESET discovered a connection to a Russian version of the now discontinued popular source-is-available encryption …
John Leyden, 30 Jul 2015
Moments of perspiration

Chinese hackers behind OPM megabreach also pwned United Airlines

United Airlines was hacked by same Chinese group that also breached health insurer Anthem and the US government’s Office of Personnel Management (OPM). Hackers stole flight manifests from United Airlines in May or early June, exposing the names of people on many different flights in the process, after earlier making off with …
John Leyden, 30 Jul 2015
Internet of Things book cover

Strong ARM scoops up Sansa to boost IoT security

Chipmaker ARM has sealed a deal to buy Israeli Internet of Things (IoT) security specialist Sansa Security. Financial terms of the deal, announced Thursday, were not officially disclosed. However, the WSJ previously reported that around $75m-$85m was on the table. ARM makes the chips that power the majority of the world’s …
John Leyden, 30 Jul 2015

Be wary of that Russian. He might HAMMERTOSS a software nasty at you

Security researchers have blown the lid on another Russian cyberspy crew, rated as the most sophisticated yet by security firm FireEye. APT29 – which has only been operational since around the end of last year – uses a strain of malware called Hammertoss. "The group has demonstrated an understanding of network defenders’ …
John Leyden, 29 Jul 2015
You seen him? Hasidim

How to quietly slurp sensitive data wirelessly from an air-gapped PC

Israeli academics have demonstrated how feature-phones can use GSM radio frequencies to wirelessly siphon data from infected "air-gapped" computers. Air-gapped computers are those kept physically isolated from other networks as a safeguard against hacking. The work by researchers at the Ben-Gurion University of the Negev (BGU …
John Leyden, 29 Jul 2015
Cash in brown paper envelope CC 2.0 attribution

A third of workers admit they'd leak sensitive biz data for peanuts

A third of employees would sell information on company patents, financial records and customer credit card details if the price was right. A poll of 4,000 employees in the UK, Germany, USA and Australia found that for £5,000, a quarter would flog off sensitive data, potentially risking both their job and criminal convictions …
John Leyden, 29 Jul 2015
Bank vault

Are smart safes secure? Not after we've USB'd them, say infosec bods

Vulnerabilities in “intelligent cash safe service” Brink's CompuSafe's cash management produces will be demonstrated at the Def Con hacker conference in Las Vegas next week. Brink's CompuSafe offers a “smart safe as a service” technology to major retailers and fast food franchises. This smart safe can communicate how much …
John Leyden, 28 Jul 2015

Windows 10 in head-on crash with Nvidia drivers as world watches launch

Microsoft's automatic updates feature in Windows 10 has collided with Nvidia's driver system, sending the new operating system off the rails as it launches. Early adopters are experiencing glitches (particularly in multi-monitor setups), and in some cases crashes, all triggered when Windows 10 automatically updates its …
John Leyden, 28 Jul 2015
Panic button

Biometric behavioural profiling: Fighting that password you simply can't change

Security researchers have developed a browser extension that supposedly defeats biometrics based on typing patterns, with the exercise designed, in part, to promote greater awareness about the emerging technology and the privacy risk it might pose. Biometric behavioural profiling allows a site to collect metadata about how a …
John Leyden, 28 Jul 2015

Unhinged Linux backdoor still poses a nuisance, if not a threat

Internet Igors have stitched together a new Linux backdoor. Fortunately for internet hygiene the botnet agent – which packs a variety of powerful features – is faulty and only partially functional. The backdoor, dubbed Dklkt-1 was designed to be a cross-platform nasty capable of infecting both Windows and Linux machines. …
John Leyden, 27 Jul 2015
Screenshot of Chrome's "Aw, snap!" error message

Google burnishes Chrome to patch over 43 bugs

Google has pushed out a new cross-platform version of Chrome that fixes no less than 43 security bugs. Chrome version 44.0.2403.89 for Windows, Mac and Linux addresses 12 potentially “high-impact flaws”, several of which revolve around buffer overflow bugs. A pair of universal cross-site scripting bugs also rate towards the …
John Leyden, 24 Jul 2015
car hacking

Jeep breach: Scared? You should be, it could be you next

Other vehicles may be at risk from hacking following the Jeep Cherokee incident, according to one of the two researchers who pioneered the spectacular auto exploit. Renowned car security researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee over a mobile network and found a way to control critical …
John Leyden, 24 Jul 2015

Now car hackers can bust in through your motor's DAB RADIO

Car brakes and other critical systems can be hacked via car infotainment systems, security researchers at NCC Group have revealed. The ingenious hack, demonstrated in an off-road environment, works by sending attack data via digital audio broadcasting (DAB) radio signals. This is similar to a hack that allowed security …
John Leyden, 24 Jul 2015

Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …
John Leyden, 23 Jul 2015

Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details. All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows …
John Leyden, 23 Jul 2015

Cyber poltergeist threat discovered in Internet of Stuff hubs

New security research has revealed a whole new area of concerns for the soon-to-be-everywhere Internet of Things – smart home hubs. Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – can be dangerously vulnerable to attack, according to security tools firm TripWire. Craig Young, a …
John Leyden, 23 Jul 2015

Hark, the Hacking Team angels sing, it’s not us who’ve actually sinned

The Hacking Team pushed out a new statement on Wednesday, moaning that the only victim of the mega-breach against its systems is Hacking Team itself. Eric Rabe, the firm's chief marketing and communications officer, complained that the controversial outfit is “being treated as the offender, and the criminals who attacked the …
John Leyden, 22 Jul 2015

Ashley Madison invites red-faced cheats to bolt stable door for free

Adulterous hook-up site Ashley Madison is allowing all members to fully delete their profiles without charge in the aftermath of a serious data breach that threatens the site' future. Previously, if users wanted to delete their records (profile, pictures and messages sent through the system) they were obliged to pay around $20 …
John Leyden, 21 Jul 2015
Laurel and Hardy on the phone

Scammers going after iOS as fake crash reports hit UK

Tech support scammers have begun targeting UK iPhone and iPad users, offering to fix problems that don't actually exist. Cold call scams that seek to hoodwink Windows users into paying for useless remote diagnostic and cleanup services have been an issue for years. More recently, scammers have broadened their sights to target …
John Leyden, 21 Jul 2015

Spyware-spewing Wi-Fi drone found on Hacking Team, Boeing's to-do list

Leaked emails have exposed plans by Hacking Team and a Boeing subsidiary to deliver spyware via drones for sale to government agencies. The scheme proposed the use of unmanned aerial vehicles (UAVs or drones) to deliver Hacking Team's Remote Control System Galileo spyware via Wi-Fi networks from above. Boeing subsidiary Insitu …
John Leyden, 20 Jul 2015

Norton for Windows 10 is NOT a box-borking beta, insists Symantec

A recent update to Norton designed to add compatibility for Windows 10 is incompatible with mainstream Windows releases, according to some users. Symantec is denying that these issues are anything worse than teething problems, although this has so far failed to placate critics. Users are loudly complaining about borked Win 8. …
John Leyden, 20 Jul 2015
Android icon desktop toys

Fragmented Android development creating greater security risks

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned. The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in …
John Leyden, 20 Jul 2015

Ashley Madison hack: Site for people who can't be trusted can't be trusted

Ashley Madison, a popular website for married people wishing to cheat on their other halves, has been hacked with obviously serious implications for those whose details it held. Previously unknown hacking group The Impact Team posted online caches of personal data stolen from the website, whose motto is "Life is short. Have an …
John Leyden, 20 Jul 2015
Files in manager's desk drawers: manila folder marked "Redundancies". Image via shutterstock

Password manager Mitro will shutter itself on 31 August

Password manager service ‪Mitro‬ is to shut down permanently from the end of August. The announcement comes just less than twelve months after Mitro was acquired by Twitter for an undisclosed amount. Mitro open sourced its server and client software through GitHub at the same time in late July 2014. Mitro's team joined …
John Leyden, 17 Jul 2015

Thunder-faced Mozilla lifts Flash Firefox block after 0-days plugged

Mozilla has lifted its blanket block on Flash in Firefox following the release of security updates by Adobe on Tuesday. Although the short-term block has been lifted, the whole flap appears to have re-energised efforts at Mozilla to work on Flash alternatives. The block – imposed on Monday – meant that all versions of Flash …
John Leyden, 16 Jul 2015
Flipside RFID-shielded wallet

Your security is just dandy, Apple Pay, but here comes Android

Analysis Most security experts estimate that the security offered within (and by) Apple Pay is superior to that seen in existing contactless credit or debit card systems. However, the success of the technology in the UK may well depend more on commercial factors than anything else, with one payments expert warning that merchants fees …
John Leyden, 16 Jul 2015
LG electronics US export photo from 1962

Infosec bigwigs rally against US cyber export control rule

Infosec heavyweights are uniting to oppose US government proposals to tighten up export controls against software exploits, a move critics argue threatens to imperil mainstream security research and information sharing. The proposed regulation, based on the Wassenaar Arrangement of 1996 and not originally intended to include …
John Leyden, 15 Jul 2015

Malwarebytes slurps startup, hopes to belch out Mac malware zapper

Security software firm Malwarebytes is moving into the Mac security software market with the acquisition of a start-up and the launch of its first anti-malware product for Apple computers. Malwarebytes Anti-Malware for Mac is designed to detect and remove malware, adware, and PUPs (potentially unwanted programs). The release …
John Leyden, 15 Jul 2015

GET PATCHED: Adobe plugs Hacking Team Flash holes and more

Adobe has released patches for its Flash software to fix a pair of critical security vulnerabilities exposed by the Hacking Team megabreach. The bugs can be exploited to hijack PCs and infect them with malware – and crooks are already doing just that, so apply the updates now. The security bulletin for Adobe Flash Player ( …
John Leyden, 14 Jul 2015