Articles about Audit

Here are the God-mode holes that gave TrueCrypt audit the slip

Google Project Zero hacker James Forshaw has found a pair of privilege-elevation holes in the once-popular TrueCrypt encryption package. The bugs have been patched in spinoff app Veracrypt, so if you want to stay secure, you may want to shift over to that package. The flaws are not the fabled backdoors feared lurking in the …
Darren Pauli, 29 Sep 2015

OpenSSL audit kicks off for post-Heartbleed strengthening program

A major audit of the ubiquitous OpenSSL web security protocol is set to commence under a US$1.2 million industry commitment to harden open source technologies. OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its popularity and lack of in-depth security review. "OpenSSL has been …
Darren Pauli, 10 Mar 2015
Department of Homeland Security

Homeland Insecurity: OIG audit identifies numerous deficiencies

An Office of the Inspector General audit into the US Department of Homeland Security has identified a range of deficiencies across the agency, which is responsible for America's cybersecurity. The 36-page audit (PDF) was published with the positive title "[Department of Homeland Security (DHS)] Can Strengthen its Cyber Mission …
Statue of Liberty

Verizon promised to wire up NYC with fiber... and failed miserably – audit

New York City authorities have thumped Verizon for apparently reneging on its promises to wire up the Big Apple with super-fast fiber internet. In 2008, the city signed a deal with Verizon in which the telco promised to give every resident access to a fiber-optic broadband connection by July 2014. In return, the city reduced the …
Iain Thomson, 18 Jun 2015

Crack security team finishes TrueCrypt audit – and the results are in

The researchers behind the security audit of the TrueCrypt disk-encryption software have completed their work and say they have found no evidence of any deliberate backdoors or serious design flaws in its code. "Based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software," crypto boffin …
Neil McAllister, 02 Apr 2015

EU flings €1m at open source security audit wheeze

EU institutions have finally got the memo about it being a good idea to pinpoint and fix security vulnerabilities. Next year the European Parliament has allocated up to €1m for a project to audit free software programs in use at the European Commission (EC) and the EU Parliament in order to find and repair potential weaknesses …
Jennifer Baker, 23 Dec 2014

Premera healthcare: US govt security audit gave hacked biz thumbs up

Serious doubt has been cast on the US government's data security regulations after Premera Blue Cross was declared secure by Uncle Sam – just months before the healthcare giant was ransacked for financial and medical information by hackers. The biz underwent a computer security audit by a federal watchdog in January 2014, was …
Iain Thomson, 23 Mar 2015

Netflix releases reflected XSS audit tool for biz

Netflix has continued its contribution to the open source security community with the release of a tool to better help developers and admins identify cross-site scripting. The Sleeping Puppy tool joins Netflix's released security tools including Fully Integrated Defense Operation automated incidence response platform, the …
Darren Pauli, 03 Sep 2015
e-QIP's offline notice

Audit finds new flaw at US Office of Personnel Management

A security review that followed the original hack at the US Office of Personnel Management (OPM) has turned up a new, but hopefully-unexploited, vulnerability. The “Electronic Questionnaires for Investigations Processing” system, abbreviated to e-QIP, was found to be vulnerable under the review, and will be taken offline for as …

TrueCrypt audit: Probe's nearly all the way in ... no backdoor hit yet

The first phase of crowd-funded audit of TrueCrypt has turned up several vulnerabilities, but nothing particularly amiss and certainly nothing that looks like a backdoor. iSEC Partners, which was contracted to carry out the audit by the Open Crypto Audit Project (OCAP), ‪found‬ 11 vulnerabilities in the full disk and file …
John Leyden, 15 Apr 2014
Bittorrent logo detail

Cries of spies as audit group finds possible 'backdoor' in Bittorrent Sync

Updated: BitTorrent responds Popular file sharing platform BitTorrent Sync is 'probably' leaking hashes to its website and access to shared data, a group audit has found. The platform downloaded some 10 million times allowed users to synchronise data over networks using encrypted peer-to-peer at speeds said to be 16 times faster than Dropbox, using …
Darren Pauli, 18 Nov 2014

TrueCrypt audit project founder: 'We've set our sights high'

Interview A TrueCrypt audit project has uncovered a well of technical support with its plans to publicly audit the widely used disk and file encryption utility for the first time. TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a virtual disk. The tool can also hide volumes of data …
John Leyden, 18 Nov 2013

Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO

A fundraising effort to pay for an independent, professional security audit of TrueCrypt, the popular disk encryption utility, has raised enough money to pay for an arguably long overdue audit of the security software. TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a …
John Leyden, 06 Nov 2013

These US Presidential contestants can't even secure their websites – what hope for America?

The majority of US presidential candidates' websites failed a basic privacy and security audit. In the Presidential Candidate Online Trust Audit, an audit by the Online Trust Alliance (OTA), the failures in 17 out of 23 cases came as a result of a variety of poor privacy practices, including the sharing or trading of website …
John Leyden, 22 Sep 2015
Fukushima Warning Sign by Raneko

Fukushima nuke plant owner told to upgrade from Windows XP

The Tokyo Electric Power Company (TEPCO), operator of the stricken Fukushima Daiichi nuclear energy complex, has been told to migrate 48,000 internet-connected PCs off Windows XP sooner rather than later. TEPCO was recently probed by Japan's Board of Audit, an organisation that oversees the finances of Japan's government and …
Simon Sharwood, 23 Apr 2015
FBI badge and gun

'White hats don't want to work for us' moans understaffed FBI

The Federal Bureau of Investigation is struggling to hire computer scientists, according to a Department of Justice audit of the feeb's attempts to implement its Next Generation Cyber Initiative. A 34-page audit report (PDF) from the DoJ notes that, while making considerable progress, the FBI has "encountered challenges in …

IBM tightens Passport Advantage licensing terms

IBM software customers should be on their guard following changes to the fine print of the giant’s Passport Advantage program. IBM reworded part of Passport Advantage late last year, The Reg has learned, putting more onus on the customer than ever before to keep clear and accurate records of their software use. The changes mean …
Gavin Clarke, 07 Apr 2015

Take that NATS! Jocko IT is also totally rubbish. BOOM!

Scottish nationalists have a lot more in common with their Sassenach cousins than they'd like to admit, with both nations seemingly equally crap at IT. A report by the country's spend watchdog Audit Scotland found the government "Continue[s] to encounter difficulties" in managing Information and Communication Technology (ICT) …
Kat Hall, 19 Jun 2015
Cloud security image

Horrors of murky TrueCrypt to be probed once more

The gears of the TrueCrypt audit have whirred into life overnight with boffins poised to again probe the open source crypto tool after nearly a year of waiting. A tiny team will fondle the tool's random number generators, cipher suites and key algorithms in a bid to pull the internet's favourite crypto suite out of the pariah …
Darren Pauli, 20 Feb 2015

National Audit Office tears government's savings claims in HALF

The National Audit Office has questioned the Cabinet Office's weighty ICT savings claims and revealed it still does not know how many small biz suppliers are winning public sector contracts. Minister Francis Maude's merry band claims it saved taxpayers £702m on tech and comms spending in fiscal 2012 ended March - £354m through …
Paul Kunert, 23 Jan 2013

Microsoft and Oracle are 'not your trusted friends', public sector bods

Software providers such as Microsoft and Oracle are aggressively targeting public sector customers with licence "audit reviews" in a bid to plug falling subscription revenue, according to research. Over one-third of the 436 councils surveyed across the UK have been subject to at least one software licence review in the last 20 …
Kat Hall, 27 Mar 2015

Salesforce unleashes red-tape-as-a-service for regulation-heavy users

Salesforce has launched its slightly-more-secure-software-as-a-service for organisations in industries compelled to wrap themselves in red tape. The Salesforce1 service, dubbed "Shield", offers encryption, monitoring, and archiving for the platform's apps. Salesforce says the platform includes field audit trail, platform …
Team Register, 15 Jul 2015
The Register breaking news

Security audit finds dev OUTSOURCED his JOB to China to goof off at work

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet. The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with …
Iain Thomson, 16 Jan 2013
Keep out sign with deleted expletive

US watchdog: Anthem snubbed our security audits before and after enormous hack attack

A year or so before American health insurer Anthem admitted it had been ruthlessly ransacked by hackers, a US federal watchdog had offered to audit the giant's computer security – but was rebuffed. And, after miscreants looted Anthem's servers and accessed up to 88.8 million private records, the watchdog again offered to audit …
Shaun Nichols, 05 Mar 2015
Apple Watch Sport

Hands off, Apple! Irish dev studio sues over alleged iWatch infringement

Cupertino's lawyers must hasten with all fair speed to Milan, where Irish company Probendi has filed a suit alleging infringement of the latter's iWatch trademark. Apple has placed an advertisement with Google to link to its wristjob when users search for the "iWatch", presumably to catch the eyes of novitiate fanbois not yet …
fingers pointing at man

Child labour, lost wages uncloaked by Apple factories audit

Apple has for the first time released a complete list of its suppliers [PDF], publishing the names of 156 companies who make the parts for everything from Macbook screens to iPad covers. The list includes well-publicised contracts, such as Apple's mega deals with Samsung and LG, as well as more obscure deals with smaller …
Anna Leach, 16 Jan 2012
Malware image

Lenovo CTO: Hey, look around – we're not the only ones with a crapware infection

On Friday Lenovo is going to tell the world about how it plans to regain the trust of its users in the wake of the Superfish clusterfuck – and may even launch an independent security audit of its products. "Our goal, in the end, is to make this right," Lenovo's CTO Peter Hortensius told The Register on Tuesday. "It's going to …
Iain Thomson, 25 Feb 2015
Cash on scales. Pic: Images Money, Flickr

Oracle swaps around its licence police bods' top ranks

Oracle’s mighty software enforcement unit is now under new management in the UK, Israel and Ireland. Caroline Crowe-Woolley has been appointed senior manager head of UKII region License Management Services (LMS), taking over from Mike Duncan. Duncan had occupied the LMS spot since January 2013. Also gone is head of LMS UK …
Gavin Clarke, 06 Oct 2015

Hash-tag CompSci: FBI grooms pre-weed teens

The FBI is launching a pilot programme to groom teenage hackers for "the mission" before said hackers start hitting the bong – or get well-paid positions at private sector companies. The pilot programme will be rolled out next autumn, reports the Financial Times (behind paywall), and will see the agency offering computer …

VMware's tool to harden virtual networks: a spreadsheet

VMware has released a guide to hardening its NSX virtual networking and product. The guide published online by VMware information security professional Pravin Goyal, covers management, control and data planes. It recommends including audit logs and system events in backups, enabling and securing remote logging for the NSX …
Darren Pauli, 14 Oct 2014
Gravity image

DataGravity puts a little weight behind protecting your information

Paula Long-led startup DataGravity has updated its Discovery array with a second generation Discovery Series V2 software. DataGravity said its arrays integrate the separate functions of data security, search and discovery, and protection into one platform and provide visibility into data as it's created. The added software …
Chris Mellor, 14 Aug 2015

Trustmarque: 2014 was a helluva year – for all the wrong reasons

Trustmarque swung to a loss in a challenging 2014 caused by a write-down of acquired Opin Systems, the correction of overstated profits in the prior year and commercial uncertainty leading up to its sale to Liberata. The licensing specialist turned over £135.4m in the twelve months, £99m of which was based on Microsoft …
Paul Kunert, 02 Oct 2015

ICO's data protection tentacles will penetrate NHS bodies

NHS bodies in the UK can now be forced to open themselves up to data protection audits under new powers handed to the Information Commissioner's Office (ICO). The watchdog told that its audits regime follows a "participative approach" and that therefore it would first ask health bodies if they would voluntarily …
OUT-LAW.COM, 03 Feb 2015
Microsoft monopoly

Microsoft in SaaS-y cloud data security slurp

Microsoft has acquired cloud security outfit Adallom. Adallom was founded in 2012 and follows the “R&D in Israel, sales in Silicon Valley” template for a range of data security products for clouds. The company's wares bring data loss prevention and reporting to cloud storage services, offering users the chance to see just who' …
Simon Sharwood, 09 Sep 2015

Union confirms two-day strike over Universal Credit's pisspoor IT

Universal Credit staff will strike for two days next week over "increasingly oppressive" working conditions and unusable IT, the Public and Commercial Services trade union has confirmed, following a vote late week. The union's members voted to down tools at the Glasgow and Bolton centres last week, where more than half (1,500 …
Kat Hall, 13 Jul 2015

Google makes admen pay for fake YouTube views, claims research

Google has been accused of charging advertisers for YouTube clicks against adverts even when some of those ads have not actually been viewed by a human, according to a study. The paper – Understanding the detection of fake view fraud in Video Content Portals (PDF) – by a group of European researchers evaluated the performance …
Kat Hall, 24 Sep 2015

China's hackers stole files on 4 MEELLION US govt staff? Bu shi, says China

China is fending off accusations it was behind the theft of personal dossiers on four million US government workers – some of whom had applied for or were granted security clearances. China's foreign ministry spokesman Hong Lei told NBC News: "We hope the United States could discard this kind of suspicion and stop groundless …
Shaun Nichols, 05 Jun 2015

Soz SMEs, we're not interested in your direct biz

Small biz suppliers received no more love from government procurement departments last year, with direct spend dipping by 0.1 per cent compared with 2012/13 to £4.5bn. Over the last two years, direct spend rose by just 0.3 per cent, according to government figures. In 2010 the government set a target for 25 per cent of all its …
Kat Hall, 25 Feb 2015

Ubiquiti stung US$46.7 million in e-mail spoofing fraud

Ubiquiti Networks has been defrauded of more than US$46 million by scammers who spoofed its communications. The heist was revealed in an SEC Form 8-K filing. Apart from the financial information, details are scant. The San Jose company says: “The incident involved employee impersonation and fraudulent requests from an outside …
The Register breaking news

Facebook spurns privacy probe as 'routine audit'

Facebook's international headquarters are in Dublin, Ireland, where the company just so happens to face a regulatory probe into the handling of personal data on the social network. According to the RTE, the Irish data protection commissioner will carry out a privacy audit of the site in November. That's potentially a big deal, …
Kelly Fiveash, 30 Sep 2011

Hacked US Census Bureau staff to take anti-phishing classes

The US Census Bureau has asked for additional IT security training for its staff – including tips on how not to fall for phishing emails – in the wake of last week's server breach. The bureau said in a blog post over the weekend that the hackers who managed to pull employee records from its computers did so by targeting the …
Shaun Nichols, 28 Jul 2015

Whitehall IT running costs creep up again to £4.6bn

Despite government plans to cut expensive contracts, IT running costs across Whitehall crept up by 7 per cent year-on-year to £4.6bn in 2014/15, according to a spend analysis by The Register. The findings are based on official government figures from eight of the largest Whitehall departments. The Ministry of Defence – which …
Kat Hall, 20 Aug 2015
Spam image

Ten years on, TEN PER CENT of retailers aren't obeying CAN-SPAM

One in 10 of the world’s largest online retailers are sill violating the CAN-SPAM Act, a full 10 years after the US anti-spam legislation went into effect. The finding comes from an audit by the Online Trust Alliance (OTA), a non-profit with the mission to enhance online trust. They also found that 70 per cent of 200 online …
John Leyden, 18 Sep 2014

Microsoft throws crypto foes an untouchable elliptic curveball

While Washington mulls ways to make crypto less effective, the industry, thank heavens, continues to push in the other direction. Microsoft Research has just published an elliptic curve library it reckons is considerably faster than what's currently available. Outlined in this International Association for Cryptologic Research …

Scouts take down database due to 'security vulnerabilities'

The Scouts Association has taken down its Compass database, which holds the records of nearly half-a-million young people and adult volunteers, after discovering a "potential security vulnerability," The Register can reveal. In a letter seen by El Reg and addressed to members this morning, the association said the decision was …
Kat Hall, 28 Jan 2015

NIST issues 'don't be stupid' security guidelines for contractors

There's no irony here at all: America's National Institute of Standards and Technology (NIST) has finalised its advice to US Federal agencies about how sensitive data should be protected when it's handled by contractors and outsiders. The recommendations, if they'd existed and been followed, might have helped protect Americans …
Mats Granryd is the new GSMA Director General

GSMA appoints Mats Granryd as new director general

The new director general of the mobile phone operators organisation is Mats Granryd, who will take up his new role on January 1 2016. Granryd’s appointment follows the departure of Anne Bouverot last month. Bouverot has gone to head up French security and identity solution vendor Morpho. Granryd will be joing the GSMA from …
Simon Rockman, 25 Aug 2015
British Transport Police cop. Pic: Gordon Joly

Smile! Brit transport plods turn bodycams on travelling public

British Transport Police have agreed to test 250 Taser Axon body-worn cameras. The gizmos film alleged criminal activity witnessed by the cops, before uploading the footage to a data management system. Taser promised that the evidence gathered from the devices would be stored and managed securely on its platform. The BTP will …
Team Register, 29 Apr 2015

NHS IT failures mount as GP data system declared unfit for purpose

The towering scrapheap of NHS IT failures may about to rise further, with the increasingly expensive GP Extraction Service IT system deemed not fit for purpose by the government's spending watchdog. Costs for the GPES IT system, which is supposed to extract data from all GP practices in England, have ballooned from £14m to £40m …
Kat Hall, 02 Jul 2015

3l33t haxxors don't need no botnet, they just pinch passwords

Half of all breaches Dell's SecureWorks outfit has responded to over the last year have been a result of attackers using legitimate admin tools and stolen credentials. Dell's threat research unit says the "living off the land" hack tactic makes security controls that seek malware and hacking infrastructure redundant, …
Darren Pauli, 08 Sep 2015