Feeds
The Register Columnists

John Leyden

Contact Mail Follow Twitter RSS feed

Hacktivists hijack BNP Twitter account, crayon over leader Griffin's too

Hacktivists from Anonymous took over the Twitter feeds of the extreme British National Party and its controversial chairman Nick Griffin over the weekend. The hack against @NickGriffinMEP's profile, which boasts 29,000 followers, was apparently mere mischief rather than a desire to make a point against a politician notorious for …
John Leyden, 06 May 2014
bamboo_bikeC

HALF of London has outdated Wi-Fi security, says roving World of War, er, BIKER

Wireless security across London remains flaky despite the well-known risks, according to an infosec bod who has been riding his bike all around town identifying insecure wireless networks and highlighting shoddy user behaviours that could be exploited by rogue hackers. James Lyne, global head of security research at Sophos, went …
John Leyden, 05 May 2014
Windows XP boot screen

Hackers ZERO IN on ZOMBIE XP boxes: Get patching, Internet Explorer 8 users

A newly uncovered attack specifically targeting out-of-support Windows XP machines running Internet Explorer 8 is being used to hack potential victims in multiple industries across Europe and North America, according to security researchers. This is the first “in the wild” attack spotted against Windows XP after Microsoft pulled …
John Leyden, 02 May 2014
snowden SXSW

Security guru: You can't blame EDWARD SNOWDEN for making US clouds LOOK leaky

Accusations that the revelations from rogue National Security Agency sysadmin whistleblower Edward Snowden have damaged the US technology industry are misplaced, according to influential security guru Mikko Hypponen. Hypponen, chief research officer at security firm F-Secure, said that the disclosure that US tech was either " …
John Leyden, 30 Apr 2014
Bloodbath!

Interweb has staunched nearly all Heartbleed wounds, says crypto bod

The Heartbleed password-leaking vulnerability in OpenSSL has almost been eradicated from the web just weeks after its discovery, according to an encryption expert. Ivan Ristic, director of engineering at cloud security firm Qualys, estimates that 25 per cent of websites worldwide were vulnerable to the data-disclosing bug on 8 …
John Leyden, 30 Apr 2014

Cuffing darknet-dwelling cyberscum is tricky. We'll 'disrupt' crims instead, warns top cop

Europe's top cyber-cop has called for a shift in focus from the prosecution of online crims to the disruption of their activities. This comes as crooks increasingly make use of the darknet – private peer-to-peer networks such as Tor – to stay hidden and anonymous; cops find it difficult to work out suspects' true identities and …
John Leyden, 29 Apr 2014
Adobe Flash installer

Drink me: Adobe pours Flash Player bug squash

Adobe is pushing out a cross-platform security fix for a bug in its Flash Player that miscreants are already exploiting. Windows users running Adobe Flash Player 13.0.0.182 and earlier need to update it following the discovery of a zero-day attack. "Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild …
John Leyden, 28 Apr 2014

Press release scam pelts poor PRs with volley of UNTRUE invoices

Fraudsters are targeting PR agencies that make use of newswires though a sneaky false invoicing scam. Pressat, which distributes press releases from tech PR agencies and others, put out a warning about fraudulent attempts to trick its clients into paying out on the back of false invoices that typically demand €580. The latest …
John Leyden, 28 Apr 2014
Zombie cloud

Innocent surfers drafted into ZOMBIE ARMY by sneaky XSS vuln

Visitors to a video distribution website were unwittingly turned into participants in a hacker's DDoS battle against a third-party site earlier this month. DDoS mitigation firm Incapsula identified the video website as Sohu.TV, after the Chinese streaming site plugged a vuln that enabled the browser-based botnet attack to happen …
John Leyden, 25 Apr 2014
balaclava_thief_burglar

UK bank heist-by-KVM gang sent down for 24 years after nicking £1.2m

A gang has been jailed after secretly installing hardware in Barclays bank branches to control PCs and steal £1.2m. The sneaky crims hooked up a hidden KVM (keyboard, video and mouse) switch and a 3G mobile dongle to computers at two London branches. This allowed the thieves to connect to the switch over the internet, access the …
John Leyden, 25 Apr 2014
sabu

LulzSec's Sabu hacked foreign gov sites while under FBI control – NYT

Ex-LulzSec chief Sabu orchestrated attacks on government computers in Iran, Syria, Pakistan and Brazil while under the control of the FBI, according to a New York Times investigation. After he was apprehended and turned to became an FBI informant, Hector Xavier "Sabu" Monsegur encouraged fellow Anonymous hackers to hit foreign …
John Leyden, 24 Apr 2014
Night scene of bank station in central london

Bank of England seeks 'HACKERS' to defend vaults against e-thieves

The Bank of England is planning to hire ethical hackers to conduct penetration tests on 20 "major" banks and other financial institutions, it has been reported. The move appears to be a response to lessons learned during the Waking Shark II security response exercise last November. The exercise put merchant banks and other …
John Leyden, 24 Apr 2014

Apple splats 'new' SSL snooping bug in iOS, OS X - but it's no Heartbleed

Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs. The so-called "triple handshake" flaw quietly emerged yesterday amid panic over OpenSSL's Heartbleed vulnerability, and soon after the embarrassing "goto fail" blunder in iOS and OS X. Apple's " …
John Leyden, 23 Apr 2014
Oblivion, the movie comms officer desk

Sat comms kit riddled with backdoors for hackers – researcher

Security researchers claim to have uncovered myriad security problems with satellite communication systems. But while major manufacturer Iridium said the security weaknesses identified by security researchers at IOActive were in hand, Thuraya, another satellite comms service, has criticised the report as inaccurate. Ruben …
John Leyden, 23 Apr 2014

Despite your fancy-schmancy security tech, passwords still weakest link in IT defences

The use of stolen login credentials continues to be the most common way for network intruders to access sensitive information. Two out of three breaches were the result of weak or swiped passwords, making a case for strong two-factor authentication, according to Verizon’s latest annual Data Breach Investigations Report. The …
John Leyden, 22 Apr 2014

Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia

Expunging the Heartbleed bug from vulnerable computers and gadgets is likely to take months, according to a leading vuln research firm. The cautionary assessment by Secunia comes as more and more products are judged to be vulnerable to the infamous OpenSSL security flaw. Heartbleed most obviously affected secure web servers but …
John Leyden, 22 Apr 2014

OpenSSL Heartbleed bug sniff tools are 'BUGGY' – what becomes of the broken hearted?

Software that claims to detect the presence of OpenSSL's Heartbleed bug in servers, PCs and other gear may falsely report a system to be safe when users are actually in danger, according to a security consultancy. This finding is disputed by developers publishing tools that test for the vulnerability. The teams behind Nessus, …
John Leyden, 17 Apr 2014
LaCie Tank

French hard-drive maker LaCie cops to YEAR LONG card data leak

French hard drive maker LaCie has held its hands up to a year-long credit card breach. Consumers who bought technology from its ‪LaCie.com ‬site between 27 March 2013 and 10 March 2014 may have had their credit cards exposed in the process, the firm admitted in a breach advisory. The problem was NOT detected internally and only …
John Leyden, 16 Apr 2014

OpenSSL bug hunt: Find NEXT Heartbleed, earn $$$ – if enough people donate cash

An effort to raise $250,000 for an OpenSSL bug-bounty program is underway – and its organisers hope it will help ensure the Heartbleed omnishambles is never repeated. The campaign, spearheaded by computer security startup Bugcrowd, aims to raise the cash by 29 April: the money will be distributed as rewards to infosec bods who …
John Leyden, 16 Apr 2014
blackmail

Hackers attempt to BLACKMAIL plastic surgeons

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers. Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a …
John Leyden, 16 Apr 2014
Uncov chronicles the failure of Web 2.0

Akamai scoffs humble pie: Heartbleed defence crumbles, new SSL keys for customers

Akamai has issued new SSL certificates to some of its customers after realising its customized OpenSSL was not immune to the Heartbleed bug as first thought. Some time ago, the web distribution giant modified the code to the open-source OpenSSL library and rolled the tweaked version out to just its servers: that adjustment …
John Leyden, 15 Apr 2014
Screaming kid

Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker

Twee UK parenting website Mumsnet is the second high-profile organisation to claim it has fallen victim to the infamous Heartbleed OpenSSL vulnerability. Hackers boasted they accessed Mumsnet users’ data via the password-leaking bug – which is present in HTTPS servers and other services and software running a OpenSSL 1.0.1 to 1. …
John Leyden, 15 Apr 2014
TrueCrypt

TrueCrypt audit: Probe's nearly all the way in ... no backdoor hit yet

The first phase of crowd-funded audit of TrueCrypt has turned up several vulnerabilities, but nothing particularly amiss and certainly nothing that looks like a backdoor. iSEC Partners, which was contracted to carry out the audit by the Open Crypto Audit Project (OCAP), ‪found‬ 11 vulnerabilities in the full disk and file …
John Leyden, 15 Apr 2014

Canadian taxman says hundreds pierced by Heartbleed SSL skewer

The Canadian Revenue Agency has blamed the theft of 900 social insurance numbers on the infamous Heartbleed vulnerability. The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is …
John Leyden, 14 Apr 2014

Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn

Cybercriminals have already seized upon the end of support for Windows XP as a theme for numerous scams and fake software updates. Microsoft pushed out its last ever patches for the 13-year-old operating system last Tuesday (8 April). Numerous YouTube videos "advertising programs and functionality related to Windows XP" that …
John Leyden, 14 Apr 2014

Heartbleed vuln under ACTIVE ATTACK as hackers map soft spots

Hackers are posting massive lists of domains vulnerable to the infamous Heartbleed bug, security researchers warn. The warning comes amidst other evidence that the vulnerability is under active attack from hackers possibly based in China and elsewhere, targeting financial services firms among others. Fraud protection firm Easy …
John Leyden, 11 Apr 2014

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of …
John Leyden, 11 Apr 2014
Call of Duty: Black Ops

Call of Duty 'fragged using OpenSSL's Heartbleed exploit'

Call of Duty: Black Ops II appears to have been compromised using the now infamous Heartbleed exploit, according to security researchers. The Heartbleed security bug is a simple example of memory leakage through an overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted …
John Leyden, 10 Apr 2014
snowden SXSW

Snowden lawyer PGP email 'crack' flap: What REALLY happened?

The leak of a PGP-encrypted email between Ed Snowden's pet journalist Glenn Greenwald and a lawyer has created a bit of a fuss in crypto circles. Jesselyn Radack, a national security and human rights brief, ‪said an encrypted email sent by her to Greenwald was this week leaked by persons unknown to Cryptome, the long-running …
John Leyden, 10 Apr 2014

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed

The startling password-spaffing vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also at risk. The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email …
John Leyden, 09 Apr 2014
bug on keyboard

Cyber hostage-takers SCAMMED six times as many people last year

Malware-powered frauds that lock up victims' computers - or worse yet, encrypt files and force them to pay a fee to unlock their information - increased by 500 per cent during 2013, according to a study by Symantec. Symantec's latest global Internet Security Threat Report also revealed that targeted attack campaigns for the …
John Leyden, 09 Apr 2014

Not your father's spam: Trojan slingers attach badness to attachment WITHIN attachment

Cybercrooks are upping the ante by loading malware as an attachment inside another attachment in a bid to slip past security defences. A new variant of the Upatre Trojan comes bundled in spammed messages that imitate emails from known banks such as Lloyds Bank and Wells Fargo. The .MSG file of the malicious emails contains …
John Leyden, 08 Apr 2014

Win XP security deadline: Biz bods MUST protect user data – ICO

The end of support for XP on Tuesday doesn't only mean increased risk from hackers exploiting vulnerabilities that will never be patched. It also creates a heightened data protection risk to businesses, the UK's data privacy watchdog has warned. The Information Commissioner's Office (ICO) also warned that the end of support for …
John Leyden, 08 Apr 2014

You can play Flappy Bird on a POINT OF SALE TERMINAL

Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and-PIN devices back in 2012, demonstrated at last week's SyScan security …
John Leyden, 08 Apr 2014
Password Assistant

The Great Hash Bakeoff: Infosec bods cook up next-gen crypto

Cryptographers are limbering up for a competition aimed at developing a next-generation password hash to create a better means for websites to store users' login credentials. In total 24 submissions have been made to the Password Hashing Competition. Cryptographers will now test the effectiveness of the two dozen entrants by …
John Leyden, 07 Apr 2014

Vint Cerf wanted to make internet secure from the start, but secrecy prevented it

The NSA acted as a barrier to the rollout of encryption as standard from the very inception of the internet back in the mid 1970s. Youtube Video Engineers had wanted to add a network encryption layer as part of the original specifications for TCP/IP. Whitfield Diffie and Martin Hellman had published a paper on public key …
John Leyden, 07 Apr 2014
Disney's Beagle Boys

Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'

Several US states have launched an investigation into a subsidiary of credit reference bureau Experian after a fraudster allegedly bought millions of consumers' personal data from it. Vietnamese national Hieu Minh Ngo allegedly used information obtained through Experian subsidiary Court Ventures to run two identity fraud- …
John Leyden, 07 Apr 2014
Include Security's Tinder leakage demo

Left swipe! That hot Tinder babe is a malware-flinging ROBOT

Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery. Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been …
John Leyden, 07 Apr 2014

Bank-raid ZeuS malware waltzes around web with 'valid app signature'

A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs. It appears miscreants have somehow gained access to the private signing key belonging to a Microsoft-registered third-party developer in Switzerland, and …
John Leyden, 05 Apr 2014
Windows XP BSOD

Final Windows XP Patch Tuesday will plug Word RTF vuln

The final Patch Tuesday for Windows XP will bring four bulletins, including a critical fix for a zero-day Word vulnerability uncovered last week. The critical 0-day vulnerability - already the object of targeted attacks - opens the door to remote code execution nasties if a user opens a RTF file in Word 2010 or in Outlook while …
John Leyden, 04 Apr 2014
The Four Horsemen Apocalypse ride up the grassy mound that adorns the WinXP desktop

Win XP usage down but not out as support cutoff deadline looms

Windows XP usage on the web is decreasing as the venerable operating system edges ever closer towards its "end of life" from Microsoft support next week. Data from cloud security firm's Qualys QualysGuard shows that the percentage of XP on machines decreased from 35 per cent as of January 2013 to 14 per cent in February 2014. …
John Leyden, 04 Apr 2014
Puss considers how to respond to PayPal marketing overtures

'Bank couriers' who stole money from OAP cancer sufferer jailed

Two men have been jailed following their conviction for running a series of courier fraud scams in south London, Surrey and Sussex. Shaun Moore, 22, of no fixed abode and Jevon Grant, 20, of Croydon were sentenced to 18 months imprisonment and two years in a young offenders' institution, respectively. Both pleaded guilty to …
John Leyden, 03 Apr 2014

'Good job, NSA! You turned Yahoo! into an encryption beast'

Yahoo! has announced major encryption improvements designed to thwart dragnet surveillance efforts by the likes of the NSA. Alex Stamos, Yahoo!'s recently appointed CISO (chief information security officer), said the internet giant has finished encrypting traffic between its data centres. Stamos also outlined a roadmap for …
John Leyden, 03 Apr 2014

'Dads from the Midwest' pull down their email-spaffing LinkedIn plugin

A controversial browser plug-in that offered to reveal LinkedIn users’ private email addresses has been withdrawn by its developers, at least for now. Sell Hack added a “Hack In” button to LinkedIn profiles, which sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users …
John Leyden, 02 Apr 2014
Stourport cctv image 12.03.03

Dimwit hackers use security camera DVRs as SUPER-SLOW Bitcoin-mining rig

Miscreants are using hacked digital video recorders in a somewhat misguided attempt to mine cryptocurrency BitCoins. Hackers have created custom code to infect devices normally used for recording footage from security cameras. After getting in, likely to taking advantage of weak default passwords, a common security mistake with …
John Leyden, 02 Apr 2014

Password bug let me see shoppers' credit cards in eBay ProStores, claims infosec bod

A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed – according to the security researcher who says he found the hole. Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened the …
John Leyden, 01 Apr 2014
Angry Birds

Angry Birds developers downplay fresh data leak claims

The developers of Angry Birds have hit back at renewed allegations that the ultra-popular game leaks users' personal information. Security vendor FireEye put out a detailed critique of Angry Birds last week claiming that the smartphone game leaked data like a sieve. An early March update of Angry Birds, available through Google …
John Leyden, 01 Apr 2014

Snowden files latest: NSA and GCHQ targeted German satcomms

The NSA and GCHQ hacked into the systems of three German satellite communication providers, according to the latest leaks from the files of Edward Snowden, fugitive ex-NSA sysadmin. Der Spiegel reports that GCHQ and the NSA tried to infiltrate internal networks run by satellite comms firms Stellar, Cetel and IABG. Stellar …
John Leyden, 31 Mar 2014
Parliament in the clouds

Crack CERT warriors arrive to save UK from grid-crippling hack attacks

The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today. CERT-UK, a key component of the government's £650m National Cyber Security Strategy, will co-ordinate responses to hacking and malware-based cyber attacks on a national level. The …
John Leyden, 31 Mar 2014
Picture by Afonso Lima

'I like big butts and I cannot lie, hackers take Pinterest on a joyride'

Miscreants have made an ass out of users of bewildering photo-sharing website Pinterest – by hijacking their accounts to flood the boards with butt pics. The cheeky spammers gained control of the profile pages by tricking victims into clicking on “Pin This” widgets on websites or running dodgy apps, all of which had malicious …
John Leyden, 28 Mar 2014