Articles about Blunder

Defeated-looking young man puts his head against table in front of laptop and pile of papers in conference room. Pic via Shutterstock

IPO spews email addresses to hundreds of recipients. Twice

The department entrusted with the protection of corporate data is seemingly somewhat less bothered when it comes to guarding personal info. The Intellectual Property Office yesterday made the classic schoolboy error of sending out an email containing hundreds of recipients in the 'to' field. Realising its blunder minutes …
Kat Hall, 15 Jul 2016
Defeated-looking young man puts his head against table in front of laptop and pile of papers in conference room. Pic via Shutterstock

Software bug costs Citigroup $7m after legit transactions mistaken for test data for 15 years

A programming blunder in its reporting software has led to Citigroup being fined $7m (£5m). According to the US Securities and Exchange Commission (SEC), that error [PDF] resulted in the financial regulator being sent incomplete "blue sheet" information for a remarkable 15 years – from May 1999 to April 2014. The mistake was …
Kieren McCarthy, 13 Jul 2016

Cracking Android's full-disk encryption is easy on millions of phones – with a little patience

Android's full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there's working code to prove it. Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system's contents with a friendly Python script without knowing …
Iain Thomson, 01 Jul 2016
Election form

London Mayor election day bug forced staff to query vote DB by hand

The confirmation of Sadiq Khan as Mayor of London last month was delayed for several hours by a database application bug. The announcement of the election's winner was pushed back from May 6 to May 7 as a result of the programming cockup, which was buried in the IntElect systems used to scan and tabulate citizens' votes. …
Shaun Nichols, 17 Jun 2016
Piledriver. Photo by Shutterstock

Virgin Media goes TITSUP* in South London due to painful piles

Thousands of South Londoners have been knocked offline due to a blunder by a construction worker slicing through a Virgin cable. On Tuesday afternoon, a major segment of Virgin Media's fibre cabling was cut by a pile driver on a construction site in Brixton. The cabling has yet to be repaired. Approximately 4,300 customers …
Kat Hall, 15 Jun 2016
Gavel

Kazakhstan wins bid to get Mega IP address info on state secrets hackers

File storage site Mega has been ordered to hand over IP address information to the Kazakhstan Government that could identify a user alleged to have uploaded more than 100,000 stolen documents to the service. Hackers allegedly popped Kazakhstan networks last year, allegedly uploading the stolen documents to Mega's servers …
Darren Pauli, 13 May 2016
Broken CD with wrench

Malware scan stalled misconfigured med software, mid-procedure

A user or reseller who couldn't be bothered configuring their antivirus properly has hit the headlines for interrupting doctors trying to insert a vascular catheter into a patient. As the FDA's Adverse Event Report says, an hourly malware scan stalled a Merge Healthcare Hemo unit, which collects patient vital signs, displays …
dumb_and_dumber_648

This is what a root debug backdoor in a Linux kernel looks like

A root backdoor for debugging ARM-powered Android gadgets managed to end up in shipped firmware – and we're surprised this sort of colossal blunder doesn't happen more often. The howler is the work of Chinese ARM SoC-maker Allwinner, which wrote its own kernel code underneath a custom Android build for its devices. Its Linux …

ImageMagick exploits spotted

Malicious images exploiting server-hijacking holes in ImageMagick have been spotted and documented by web host biz CloudFlare. As we reported last week, ImageMagick – a tool used by countless websites to process images submitted by users – has a pretty bad bug that allows images to execute commands on vulnerable systems. The …
Chris Williams, 09 May 2016
Doctor Nick Riviera

London NHS trust fined £180,000 after second bcc fail on HIV email list

The Information Commissioner's Office (ICO) has handed down a £180,000 fine to an NHS trust in London after it revealed the email addresses of more than 700 users of an HIV information service. The data blunder occurred last year when a sexual health clinic at 56 Dean Street, which is operated as part of Chelsea and …

Woman charged with blowing AU$4.6m overdraft on 'a lot of handbags'

A 21-year-old woman has appeared in court in Sydney accused of taking advantage of a Westpac Bank glitch which saw her accidentally granted an unlimited overdraft against which she allegedly withdrew AU$4.6m, "part of which she spent on luxury handbags", as news.com.au puts it. Chemical engineering student Christine Jiaxin Lee …
Lester Haines, 05 May 2016
Facepalm by https://www.flickr.com/photos/the-magic-tuba-pixie/ cc 2.0 attribution generic https://creativecommons.org/licenses/by/2.0/

Oz gummint seeks public input on 'site block' guidelines

The Australian government has decided it could do with some public input regarding the use of a controversial site-blocking law. No, it's not the “block the pirates” law that came into force last year. Rather, it's Section 313 of the Telecommunications Act, a provision that received little attention until the Australian …

What was all that about a scary iMessage flaw? Your three-minute guide

Watercooler – On Sunday, we were warned that hackers could read our iMessages texts, photos and videos. Should I be worried? As it turns out: no. If you're even a little curious about cryptography and secure programming, though, it should interest and amuse you. On Sunday, the Washington Post learned that Apple had fixed a flaw in the …
Chris Williams, 23 Mar 2016
Badlock logo

Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug

April 12 – save the date if you're a Windows or Samba file server administrator. Stefan Metzmacher, a Samba core developer, has discovered what sounds like a pretty bad security bug, and he says it will be patched on that day next month. The vulnerability already has everything it needs to make a big splash: a name, Badlock; …
Chris Williams, 22 Mar 2016

Google spews critical Android patch as millions of gadgets hit by Linux kernel bug

Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices. The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18 – we're talking millions of gadgets and handhelds, here. The vulnerability is a privilege elevation that …
Darren Pauli, 22 Mar 2016
 French bulldog puppy wears plastic devil horns and cute expression. Photo by Shutterstock

FreeBSD crushes system-crashing bug

Sysadmins ought to patch their FreeBSD systems after an irritating bug was found in the kernel. A programming blunder involving integer signedness can be exploited by a logged-in user to crash a system. With the right parameters, you can trick the kernel into clearing too much of its heap memory with zeros via the sysarch …
John Leyden, 18 Mar 2016

Snowden WAS the Feds' quarry in Lavabit case, redaction blunder reveals

It was Edward Snowden's email account the FBI was targeting in its extraordinary legal case against Lavabit, we can now confirm. Lavabit ran an encrypted email service that Edward Snowden was thought to have used in 2013 to contact journalists about the top-secret NSA files he had in his possession. In documents published …
Kieren McCarthy, 17 Mar 2016
band_aid_648

Bloke pockets $15k for spotting Facebook password-reset blunder

Facebook has slung US$15,000 in the direction of Anand Prakesh for discovering a serious bug on its beta servers. Late in February, Prakesh writes, he discovered that the company's beta sites didn't rate limit the PINs used for password resets. If you request a password reset via a PIN sent to your phone, after 10 or 12 …

Feds spank Asus with 20-year audit probe for router security blunder

Asus has settled its case with the US Federal Trade Commission (FTC) after hackers pwned nearly 13,000 home routers via an unpatched security flaw. The case arose in February 2014, when miscreants used an easily exploitable flaw in Asus's home router line to take control of 12,900 systems in the US. An investigation by the FTC …
Iain Thomson, 23 Feb 2016
fail

Comodo's 'security' kit installed a lame VNC server on PCs on the sly

Google's Project Zero has found yet another blunder in Comodo's internet "security" software – a VNC server enabled by default with a predictable password. Earlier this month, Googler Tavis Ormandy pointed out that Comodo's custom web browser, dubbed Chromodo, was about as unsafe as a lace condom thanks to terrible security …
Iain Thomson, 18 Feb 2016
NASA image of solar flare

Good thing this dev quit. I'd have fired him. Out of a cannon. Into the sun

Line Break Roll up, roll up. It's your Wednesday dose of ridiculous code spotted in the wild. If you've seen some horrors, send over your tales, please, and we'll share them with our readers. We've had a great response so far, which perhaps is a damning indictment for the software engineering industry. It can't be all bad, though – …
Chris Williams, 17 Feb 2016

Patch ASAP: Tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants

A huge amount of Linux software can be hijacked by hackers from the other side of the internet, thanks to a serious vulnerability in the GNU C Library (glibc). Simply clicking on a link or connecting to a server can lead to remote code execution, allowing scumbags to steal passwords, spy on users, attempt to seize control of …
Iain Thomson, 16 Feb 2016

Council IT system goes berserk, packs off kids to the wrong schools

Brit families waiting to find out if their kids have been accepted into their secondary school of choice were bamboozled on Thursday by a computer blunder. Herefordshire Council's systems sent out a wedge of emails to parents offering their children places for the new school year – but the information was wrong. It appears …
Chris Williams, 12 Feb 2016

Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months

Web hosting biz Linode broke the security in its customers' virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. Nodes that installed Linode's Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during …
Chris Williams, 09 Feb 2016
Home Secretary Theresa May introduces draft Investigatory Powers Bill to MPs. Pic credit: Parliament TV

Home Office lost its workers' completed security vetting forms

The Home Office has admitted to The Register that among its data breach incidents last year was one in which security vetting documents disappeared from within secured government premises. Through the Freedom of Information Act, The Register has learned that the Home Office – responsible for the UK's domestic counter- …

You've seen things people wouldn't believe – so tell us your programming horrors

Line break Shellshock. Heartbleed. That CCTV storage firmware with a hardcoded password. We've all seen some really bad code. Maybe that's just me. Given that many of our sysadmin readers have poured in tales of fixing impossibly broken servers for our On-Call series, we know our software-wrangling readers have faced similar battles …
Chris Williams, 28 Jan 2016
broken hard drive

IRS 'inadvertently' wiped hard drive Microsoft demanded in audit row

The IRS has declined to produce data in a Freedom of Information Act (FOIA) battle between itself and Microsoft – because the taxmen deleted the information after receiving the information request. In a filing [PDF] to the US District Court of Western Washington this month, Uncle Sam's Internal Revenue Service said it would be …
Shaun Nichols, 21 Jan 2016
band_aid_648

Cisco patch day fixes CGI script blunder, hard-coded credentials

If you've got a Cisco Unified Computing System or a Firepower 9000 Series appliance, get busy patching. The Borg says it slipped up and let a CGI script make unprotected calls to shell commands. By fooling around with the URL, an attacker would be able to send arbitrary commands to the affected kit. All versions of UCS …
Tommy Lee Jones delivers implied facepalm. From No Country for Old Men  Copyright Miramax Pictures. 2007.

FTC apologizes for leaking attendee details … to privacy conference

The Federal Trade Commission (FTC) has put in a strong bid for the 2016 Ironic Idiocy Award when they sent the details of every attendee to one of its conferences to every other attendee. The conference? Privacy CON. The conference, taking place today in Washington DC, is heavy on university research and covers topics like " …
Kieren McCarthy, 14 Jan 2016

Evil OpenSSH servers can steal your private login keys to other systems – patch now

Malicious OpenSSH servers can silently steal people's private SSH keys as they try to login, it emerged today. This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user's computer – allowing crooks to jump from server to server. The security cockup, present in the …
Iain Thomson, 14 Jan 2016
steam_dota_character_648

Video game retailer GAME in email marketing FAIL

Hundreds of UK video game fans became unwitting recipients of each others’ email addresses this week following a messaging cock-up at online retailer GAME.co.uk. El Reg learned of the snafu through reader David, who seems to have been something of a patient zero in the minor privacy flap. Human error meant that “To:” field …
John Leyden, 14 Jan 2016

Patch now: VMware Tools for Windows root holes fixed in update

VMware sysadmins, get patching: the virtualisation outfit has released updates to its ESXi, Fusion, Player and Workstation software to block out a privilege-escalation vulnerability. The patch applies to VMware Windows Workstation versions before 11.1.2, Player and Fusion versions prior to 7.1.2, and various ESXi versions …
I would vote republican but I crave brains by https://www.flickr.com/photos/clarkmackey/  cc 2.0 attribution generic https://creativecommons.org/licenses/by/2.0/

Password-less database 'open-sources' 191m US voter records on the web

Updated A database with personal information on 191,337,174 US voters has apparently been found unprotected online by a security researcher in Texas. Austin-based Chris Vickery – who earlier this month found records on 3.3 million Hello Kitty users splashed online – says the wide-open system contains the full names, dates of birth, …
Iain Thomson, 28 Dec 2015
Shawshank Redemption

Software bug sets free thousands of US prisoners too early

Washington State Department of Corrections is facing an investigation after it released more than 3,200 prisoners too early due to a software bug. "These were serious errors with serious implications," Governor Jay Inslee said in a statement. "When I learned of this I ordered [the Department of Corrections] to fix this, fix it …
Iain Thomson, 23 Dec 2015
Xen logos

Xen Project blunder blows own embargo with premature bug report

The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.” The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason. Xen is very widely used by big cloud …
Simon Sharwood, 23 Dec 2015
The Register Roundtable Room at The Soho Hotel

CIOs, what does your nightmare before Christmas look like?

CIO Manifesto We gathered 14 of the UK’s finest IT leaders in a secure bunker (elegant room in the Soho Hotel -Ed.) for the last Register Round Table of 2015 to hear their tales of when good IT goes bad. The short version is the thing they fear most is you, dear reader, your screw-ups, your documentation, your thefts, your dodgy code, your …
Joe Fay, 22 Dec 2015

ICO slaps HIV support group with £250 fine following email blunder

An HIV support group responsible for inadvertently revealing patient identities via an email blunder has been slapped with a £250 fine by the Information Commissioner's Office. The Bloomsbury Patient Network sent out a newsletter to 200 patients via email using a list of addresses in the "to" field rather than the "bcc" field …
Kat Hall, 18 Dec 2015
Bagpiper in a kilt. Photo via Shutterstock

'Powerful blast' at Glasgow City Council data centre prompts IT meltdown

The catastrophic service outage at Glasgow City Council's data centre, caused after its IT systems servers were taken down by a fire suppressant accidentally going off, is continuing to cause widespread havoc for staff and the public. The embarrassing blunder was caused by a faulty air conditioning unit setting off its fire …
Kat Hall, 17 Dec 2015

Windows' authentication 'flaw' exposed in detail

Updated Security researcher "dfirblog" has forensically examined what he calls a "devastating" flaw in Windows' Kerberos authentication system. The vulnerability cannot be fixed, and the only solution is to use Microsoft's Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post …
Kieren McCarthy, 15 Dec 2015

Lenov-lol, a load of Tosh, and what the Dell? More bad holes found in PC makers' bloatware

Lenovo laptops and PCs can be hijacked by visiting a malicious website – and Dell and Toshiba machines suffer vulnerabilities, too, we're told. If you're running the Lenovo Solution Center bundled with Lenovo gear, and you browse by an evil webpage, scripts on that page can run code with full system privileges on your computer …
Chris Williams, 05 Dec 2015

VPN users menaced by port forwarding blunder

Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users' real IP addresses. VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it "port fail", and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP ( …
Darren Pauli, 30 Nov 2015

HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking

More than 26,000 Cisco devices sold by Australia's dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates. The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos. Cisco warns that …
Darren Pauli, 27 Nov 2015

Microsoft rides to Dell's rescue, wrecks rogue root certificate

Microsoft has killed Dell's user-pwning root certificate and its self-reinstalling .dll with its antivirus Defender tool. The certificate is a big blunder because it opens a universal means for attackers on public networks to hose new Dell laptops. That's because bright minds planted a self-signed root CA certificate and …
Darren Pauli, 26 Nov 2015

Why Microsoft yanked its latest Windows 10 update download: It hijacked privacy settings

Microsoft withdrew downloads for its latest official edition of Windows 10, version 1511, after it meddled with people's privacy settings. Earlier we reported how Redmond disappeared the update, which could be fetched via the official media creation tool (MCT). The download became available in mid-November after Microsoft …
Chris Williams, 25 Nov 2015
Dell Inspiron 15-7537

Superfish 2.0: Dell ships laptops, PCs with huge internet security hole

Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …
Shaun Nichols, 23 Nov 2015
Valkyrie robot head

NASA palms off blunder-bot Valkyrie for top US universities to fix

It can put Man on the Moon, but NASA has turned to universities to get its clumsy humanoid robot Valkyrie up to scratch. The robot, now dubbed R5, competed two years ago in the DARPA robotic challenge, and tied with two other teams for last place after failing to complete any of the specified tasks. Now the agency has awarded …
Iain Thomson, 20 Nov 2015

Patch this braXen bug: Hypervisor hole lets guest VMs hijack hosts

The Xen hypervisor project today released nine security patches that should be applied ASAP – particularly the one that stops guest virtual machines seizing control of host servers. That vulnerability – XSA-148 – can be exploited by a paravirtualized guest to manipulate the memory layout of the underlying system, and …
Chris Williams, 29 Oct 2015

Cobweb 'fesses up to failure to renew SSL certificate

Cloudy service provider Cobweb Solutions has 'fessed up to failing to renew its SSL certificate, leaving a number of its customers potentially exposed. The lack of a protocol for secure communication only came to light after one of Cobweb's customers got in touch to report the issue. Adrian Smith, security consultant, …
Kat Hall, 23 Oct 2015
EE Power Bar

EE reports flat Q3 sales, keeps mum on Power Bar recall debacle

EE reported flat third-quarter revenues to the City this morning and tried to ease investors by promising – once again – that it would do a better job on customer service. During the three-month period ended 30 September, the mobile carrier was battling a major product recall. But it made no mention of the Power Bar blunder …
Kelly Fiveash, 21 Oct 2015

'10-second' theoretical hack could jog Fitbits into malware-spreading mode

Updated A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath. The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and …
Darren Pauli, 21 Oct 2015