Feeds
The Register Columnists

John Leyden

Contact Mail Follow Twitter RSS feed
Night scene of bank station in central london

Bank of England seeks 'HACKERS' to defend vaults against e-thieves

The Bank of England is planning to hire ethical hackers to conduct penetration tests on 20 "major" banks and other financial institutions, it has been reported. The move appears to be a response to lessons learned during the Waking Shark II security response exercise last November. The exercise put merchant banks and other …
John Leyden, 24 Apr 2014

Apple splats 'new' SSL snooping bug in iOS, OS X - but it's no Heartbleed

Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs. The so-called "triple handshake" flaw quietly emerged yesterday amid panic over OpenSSL's Heartbleed vulnerability, and soon after the embarrassing "goto fail" blunder in iOS and OS X. Apple's " …
John Leyden, 23 Apr 2014
Oblivion, the movie comms officer desk

Sat comms kit riddled with backdoors for hackers – researcher

Security researchers claim to have uncovered myriad security problems with satellite communication systems. But while major manufacturer Iridium said the security weaknesses identified by security researchers at IOActive were in hand, Thuraya, another satellite comms service, has criticised the report as inaccurate. Ruben …
John Leyden, 23 Apr 2014

Despite your fancy-schmancy security tech, passwords still weakest link in IT defences

The use of stolen login credentials continues to be the most common way for network intruders to access sensitive information. Two out of three breaches were the result of weak or swiped passwords, making a case for strong two-factor authentication, according to Verizon’s latest annual Data Breach Investigations Report. The …
John Leyden, 22 Apr 2014

Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia

Expunging the Heartbleed bug from vulnerable computers and gadgets is likely to take months, according to a leading vuln research firm. The cautionary assessment by Secunia comes as more and more products are judged to be vulnerable to the infamous OpenSSL security flaw. Heartbleed most obviously affected secure web servers but …
John Leyden, 22 Apr 2014

OpenSSL Heartbleed bug sniff tools are 'BUGGY' – what becomes of the broken hearted?

Software that claims to detect the presence of OpenSSL's Heartbleed bug in servers, PCs and other gear may falsely report a system to be safe when users are actually in danger, according to a security consultancy. This finding is disputed by developers publishing tools that test for the vulnerability. The teams behind Nessus, …
John Leyden, 17 Apr 2014
LaCie Tank

French hard-drive maker LaCie cops to YEAR LONG card data leak

French hard drive maker LaCie has held its hands up to a year-long credit card breach. Consumers who bought technology from its ‪LaCie.com ‬site between 27 March 2013 and 10 March 2014 may have had their credit cards exposed in the process, the firm admitted in a breach advisory. The problem was NOT detected internally and only …
John Leyden, 16 Apr 2014

OpenSSL bug hunt: Find NEXT Heartbleed, earn $$$ – if enough people donate cash

An effort to raise $250,000 for an OpenSSL bug-bounty program is underway – and its organisers hope it will help ensure the Heartbleed omnishambles is never repeated. The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who …
John Leyden, 16 Apr 2014
blackmail

Hackers attempt to BLACKMAIL plastic surgeons

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers. Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a …
John Leyden, 16 Apr 2014
Uncov chronicles the failure of Web 2.0

Akamai scoffs humble pie: Heartbleed defence crumbles, new SSL keys for customers

Akamai has issued new SSL certificates to some of its customers after realising its customized OpenSSL was not immune to the Heartbleed bug as first thought. Some time ago, the web distribution giant modified the code to the open-source OpenSSL library and rolled the tweaked version out to just its servers: that adjustment …
John Leyden, 15 Apr 2014
Screaming kid

Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker

Twee UK parenting website Mumsnet is the second high-profile organisation to claim it has fallen victim to the infamous Heartbleed OpenSSL vulnerability. Hackers boasted they accessed Mumsnet users’ data via the password-leaking bug – which is present in HTTPS servers and other services and software running a OpenSSL 1.0.1 to 1. …
John Leyden, 15 Apr 2014
TrueCrypt

TrueCrypt audit: Probe's nearly all the way in ... no backdoor hit yet

The first phase of crowd-funded audit of TrueCrypt has turned up several vulnerabilities, but nothing particularly amiss and certainly nothing that looks like a backdoor. iSEC Partners, which was contracted to carry out the audit by the Open Crypto Audit Project (OCAP), ‪found‬ 11 vulnerabilities in the full disk and file …
John Leyden, 15 Apr 2014

Canadian taxman says hundreds pierced by Heartbleed SSL skewer

The Canadian Revenue Agency has blamed the theft of 900 social insurance numbers on the infamous Heartbleed vulnerability. The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is …
John Leyden, 14 Apr 2014

Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn

Cybercriminals have already seized upon the end of support for Windows XP as a theme for numerous scams and fake software updates. Microsoft pushed out its last ever patches for the 13-year-old operating system last Tuesday (8 April). Numerous YouTube videos "advertising programs and functionality related to Windows XP" that …
John Leyden, 14 Apr 2014

Heartbleed vuln under ACTIVE ATTACK as hackers map soft spots

Hackers are posting massive lists of domains vulnerable to the infamous Heartbleed bug, security researchers warn. The warning comes amidst other evidence that the vulnerability is under active attack from hackers possibly based in China and elsewhere, targeting financial services firms among others. Fraud protection firm Easy …
John Leyden, 11 Apr 2014

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of …
John Leyden, 11 Apr 2014
Call of Duty: Black Ops

Call of Duty 'fragged using OpenSSL's Heartbleed exploit'

Call of Duty: Black Ops II appears to have been compromised using the now infamous Heartbleed exploit, according to security researchers. The Heartbleed security bug is a simple example of memory leakage through an overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted …
John Leyden, 10 Apr 2014
snowden SXSW

Snowden lawyer PGP email 'crack' flap: What REALLY happened?

The leak of a PGP-encrypted email between Ed Snowden's pet journalist Glenn Greenwald and a lawyer has created a bit of a fuss in crypto circles. Jesselyn Radack, a national security and human rights brief, ‪said an encrypted email sent by her to Greenwald was this week leaked by persons unknown to Cryptome, the long-running …
John Leyden, 10 Apr 2014

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed

The startling password-spaffing vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also at risk. The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email …
John Leyden, 09 Apr 2014
bug on keyboard

Cyber hostage-takers SCAMMED six times as many people last year

Malware-powered frauds that lock up victims' computers - or worse yet, encrypt files and force them to pay a fee to unlock their information - increased by 500 per cent during 2013, according to a study by Symantec. Symantec's latest global Internet Security Threat Report also revealed that targeted attack campaigns for the …
John Leyden, 09 Apr 2014

Not your father's spam: Trojan slingers attach badness to attachment WITHIN attachment

Cybercrooks are upping the ante by loading malware as an attachment inside another attachment in a bid to slip past security defences. A new variant of the Upatre Trojan comes bundled in spammed messages that imitate emails from known banks such as Lloyds Bank and Wells Fargo. The .MSG file of the malicious emails contains …
John Leyden, 08 Apr 2014

Win XP security deadline: Biz bods MUST protect user data – ICO

The end of support for XP on Tuesday doesn't only mean increased risk from hackers exploiting vulnerabilities that will never be patched. It also creates a heightened data protection risk to businesses, the UK's data privacy watchdog has warned. The Information Commissioner's Office (ICO) also warned that the end of support for …
John Leyden, 08 Apr 2014

You can play Flappy Bird on a POINT OF SALE TERMINAL

Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and-PIN devices back in 2012, demonstrated at last week's SyScan security …
John Leyden, 08 Apr 2014
Password Assistant

The Great Hash Bakeoff: Infosec bods cook up next-gen crypto

Cryptographers are limbering up for a competition aimed at developing a next-generation password hash to create a better means for websites to store users' login credentials. In total 24 submissions have been made to the Password Hashing Competition. Cryptographers will now test the effectiveness of the two dozen entrants by …
John Leyden, 07 Apr 2014

Vint Cerf wanted to make internet secure from the start, but secrecy prevented it

The NSA acted as a barrier to the rollout of encryption as standard from the very inception of the internet back in the mid 1970s. Youtube Video Engineers had wanted to add a network encryption layer as part of the original specifications for TCP/IP. Whitfield Diffie and Martin Hellman had published a paper on public key …
John Leyden, 07 Apr 2014
Disney's Beagle Boys

Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'

Several US states have launched an investigation into a subsidiary of credit reference bureau Experian after a fraudster allegedly bought millions of consumers' personal data from it. Vietnamese national Hieu Minh Ngo allegedly used information obtained through Experian subsidiary Court Ventures to run two identity fraud- …
John Leyden, 07 Apr 2014
Include Security's Tinder leakage demo

Left swipe! That hot Tinder babe is a malware-flinging ROBOT

Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery. Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been …
John Leyden, 07 Apr 2014

Bank-raid ZeuS malware waltzes around web with 'valid app signature'

A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs. It appears miscreants have somehow gained access to the private signing key belonging to a Microsoft-registered third-party developer in Switzerland, and …
John Leyden, 05 Apr 2014
Windows XP BSOD

Final Windows XP Patch Tuesday will plug Word RTF vuln

The final Patch Tuesday for Windows XP will bring four bulletins, including a critical fix for a zero-day Word vulnerability uncovered last week. The critical 0-day vulnerability - already the object of targeted attacks - opens the door to remote code execution nasties if a user opens a RTF file in Word 2010 or in Outlook while …
John Leyden, 04 Apr 2014
The Four Horsemen Apocalypse ride up the grassy mound that adorns the WinXP desktop

Win XP usage down but not out as support cutoff deadline looms

Windows XP usage on the web is decreasing as the venerable operating system edges ever closer towards its "end of life" from Microsoft support next week. Data from cloud security firm's Qualys QualysGuard shows that the percentage of XP on machines decreased from 35 per cent as of January 2013 to 14 per cent in February 2014. …
John Leyden, 04 Apr 2014
Puss considers how to respond to PayPal marketing overtures

'Bank couriers' who stole money from OAP cancer sufferer jailed

Two men have been jailed following their conviction for running a series of courier fraud scams in south London, Surrey and Sussex. Shaun Moore, 22, of no fixed abode and Jevon Grant, 20, of Croydon were sentenced to 18 months imprisonment and two years in a young offenders' institution, respectively. Both pleaded guilty to …
John Leyden, 03 Apr 2014

'Good job, NSA! You turned Yahoo! into an encryption beast'

Yahoo! has announced major encryption improvements designed to thwart dragnet surveillance efforts by the likes of the NSA. Alex Stamos, Yahoo!'s recently appointed CISO (chief information security officer), said the internet giant has finished encrypting traffic between its data centres. Stamos also outlined a roadmap for …
John Leyden, 03 Apr 2014

'Dads from the Midwest' pull down their email-spaffing LinkedIn plugin

A controversial browser plug-in that offered to reveal LinkedIn users’ private email addresses has been withdrawn by its developers, at least for now. Sell Hack added a “Hack In” button to LinkedIn profiles, which sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users …
John Leyden, 02 Apr 2014
Stourport cctv image 12.03.03

Dimwit hackers use security camera DVRs as SUPER-SLOW Bitcoin-mining rig

Miscreants are using hacked digital video recorders in a somewhat misguided attempt to mine cryptocurrency BitCoins. Hackers have created custom code to infect devices normally used for recording footage from security cameras. After getting in, likely to taking advantage of weak default passwords, a common security mistake with …
John Leyden, 02 Apr 2014

Password bug let me see shoppers' credit cards in eBay ProStores, claims infosec bod

A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed – according to the security researcher who says he found the hole. Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened the …
John Leyden, 01 Apr 2014
Angry Birds

Angry Birds developers downplay fresh data leak claims

The developers of Angry Birds have hit back at renewed allegations that the ultra-popular game leaks users' personal information. Security vendor FireEye put out a detailed critique of Angry Birds last week claiming that the smartphone game leaked data like a sieve. An early March update of Angry Birds, available through Google …
John Leyden, 01 Apr 2014

Snowden files latest: NSA and GCHQ targeted German satcomms

The NSA and GCHQ hacked into the systems of three German satellite communication providers, according to the latest leaks from the files of Edward Snowden, fugitive ex-NSA sysadmin. Der Spiegel reports that GCHQ and the NSA tried to infiltrate internal networks run by satellite comms firms Stellar, Cetel and IABG. Stellar …
John Leyden, 31 Mar 2014
Parliament in the clouds

Crack CERT warriors arrive to save UK from grid-crippling hack attacks

The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today. CERT-UK, a key component of the government's £650m National Cyber Security Strategy, will co-ordinate responses to hacking and malware-based cyber attacks on a national level. The …
John Leyden, 31 Mar 2014
Picture by Afonso Lima

'I like big butts and I cannot lie, hackers take Pinterest on a joyride'

Miscreants have made an ass out of users of bewildering photo-sharing website Pinterest – by hijacking their accounts to flood the boards with butt pics. The cheeky spammers gained control of the profile pages by tricking victims into clicking on “Pin This” widgets on websites or running dodgy apps, all of which had malicious …
John Leyden, 28 Mar 2014
Neal's Yard introduces its 'Green Scientists'

Homeopathic remedies contaminated with REAL medicine get recalled

A batch of homeopathic remedies have been recalled in the US after it was discovered that they contained real medicine. Terra-Medica is voluntarily recalling 56 lots of homeopathic drug products in liquid, tablet, capsule, ointment, and suppository forms after it was discovered the alternative treatments potentially contained …
John Leyden, 28 Mar 2014

ICO plugs XSS vuln in its website. Only took watchdog FIVE YEARS

The Information Commissioner's Office (ICO) has finally fixed a security bug on its website - five years after it was first notified to the data privacy watchdog. IT consultant Paul Moore first warned the ICO about a cross site scripting (XSS) problem on its website in 2009. The flaw meant it was possible to introduce arbitrary …
John Leyden, 28 Mar 2014
Dogecoin

Hackers force innocent mobes to join ALTCOIN MINING GANGS

Cybercrooks are turning smartphones into digital currency-mining bots using mobile malware. The cyber-menace, dubbed CoinKrypt by mobile security firm Lookout, is capable of hijacking the processor on smartphones to mine digital currency, enriching hackers in the process. CoinKrypt has been confined thus far to Spanish pirated …
John Leyden, 27 Mar 2014
The Blue Mosque in Istanbul

Rule of law: Turkish court nixes government Twitter ban ... for now

A court in Turkey's capital has ordered the lifting of the government ban on Twitter in the restless nation. The administrative court in Ankara overturned the week-long ban on Wednesday in response to complaints by journalists’ unions and the country's Bar Association, representing its lawyers, that blocking Twitter contravened …
John Leyden, 27 Mar 2014

When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal

DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites. More than a quarter of all botnets are located in either India, China and Iran. The study, by DDoS mitigation firm …
John Leyden, 27 Mar 2014
Russia

Did Russians frame Ukrainian hacktivists for alleged leak of 7 million credit, debit cards?

Self-styled Ukrainian hackers are bragging they dumped millions of stolen credit card numbers online – but the claims may simply be a political smear job amid tensions between Russia and the West. A group calling itself "Anonymous Ukraine" boasted this week that it is in possession of 800 million credit and debit card details. …
John Leyden, 27 Mar 2014
A shiny new cash point

Forget sledgehammers – crooks can CRACK ATMs with a TEXT

Mexican cybercrooks are targeting bank ATMs with malware that can be activated by a SMS message that forces compromised cash machines to spew out cash. The attack is a refinement on previous assaults using the Ploutus backdoor strain of malware that makes robbing cash machines even easier for local banditos, according to net …
John Leyden, 26 Mar 2014
Three  UK Passports

Passport PIN tech could have SAVED MH370 ID fraudsters

A man who developed PIN code protection for credit cards is looking to extend the technology to passports as a way of making stolen credentials more difficult to use. Kenneth Cecil of International Security, who came up with PIN code protection in US patent 6,340,116), will present a white paper on extending the technology to …
John Leyden, 26 Mar 2014
Microsoft Cybercrime Center

Cybercrook? Bent on mischief? WE'LL GET YOU, vow Facebook and pals

Internet heavyweights have teamed up to form a non-profit organisation designed to supply internet infrastructure operators with free tools and intelligence in the fight against cybercrime. Facebook, security intelligence firm Crowdstrike, Verisign, ESET Anti-Virus, Verizon and the Anti-Phishing Working Group, among others, are …
John Leyden, 25 Mar 2014
Google Glass

Hey, Glasshole: That cool app? It has turned you into a SPY DRONE

Security researchers have created prototype Google Glass spyware that is capable of snooping on everything the user is looking at without tipping off victims that anything is amiss. Mike Lady and Kim Paterson – graduate researchers at California Polytechnic San Luis Obispo – created an app that takes a picture every 10 seconds a …
John Leyden, 24 Mar 2014
Syrian iPhone ban

Microsoft charges the FBI $50 for a copy of your private data, claim 'Redmond hackers'

Hacktivists apparently loyal to Syrian President Bashar al-Assad have bragged they hacked into Microsoft's internal system that bills US cops and feds for access to citizens' private data. And the hackers have apparently spilled the beans on how much Redmond is paid for servicing those American wiretap requests. The documents …
John Leyden, 21 Mar 2014