Articles about Blunder


Microsoft keeps schtum as more battery woes hit Surface sufferers

Updated Microsoft loyalists are up in arms over yet more battery grief with the Surface Pro 3 and that Redmond is, we're told, breaking promises on repair costs. These aren't the battery blunder reported in July, in which faulty software had a habit of draining batteries of juice. Microsoft fixed that issue with a software update in …
Iain Thomson, 19 Oct 2016

How a chunk of the web disappeared this week: GlobalSign's global HTTPS snafu explained

GlobalSign has performed a postmortem examination on how, as one of the world's root certificate authorities, it managed to break a chunk of the web. The New Hampshire, US-based biz has to date sold 2.5 million SSL/TLS certificates to websites around the world. This week, it inadvertently smashed its own chain of trust: it …
Chris Williams, 15 Oct 2016

'Pork Explosion' flaw splatters Foxconn's Android phones

Security researcher Jon Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand. The backdoor is the result if a debugging function left over in Foxconn apps bootloader code which can be exploited by attackers wielding appropriate software …
Darren Pauli, 14 Oct 2016

Feds collar chap who allegedly sneaked home US hacking blueprints

An American who worked at the same intelligence contractor as NSA whistleblower Edward Snowden has been charged with the theft of classified documents. Harold Martin, 51, of Glen Burnie, Maryland, was arrested in late August after the FBI raided his house and storage shed, allegedly finding a number of top secret documents he …
Shaun Nichols, 05 Oct 2016
Woman frustrated while trying to make mobile phone call... Photo via Shutterstock

Level3 switch config blunder blamed for US-wide VoIP blackout

Updated Backbone provider Level3 says an outage that knocked out VoIP service for much of the US Tuesday morning was the result of improperly configured equipment. It seems the outage, which smashed call services offline for much of the country, was not the result of any fiber cuts or facility damage, but rather some classic bad …
Shaun Nichols, 05 Oct 2016
Disco 2000 screencap

Let's not meet up with JPEG 2000 – researchers find security hole in image codec

Researchers are warning about a newly discovered security vulnerability in a popular open-source JPEG 2000 parser that could let corrupted image files trigger remote code execution. Cisco-owned security firm Talos warns that by embedding a malformed image file into a web page, PDF file, or email message, an attacker could gain …
Shaun Nichols, 04 Oct 2016

Nork server blunder leaks Kim Jong Un's entire DNS – all, er, 28 .kp domains

North Korea's zone file has leaked online, providing another insight into the hermit kingdom's internet. According to the TLDR (TLD Records) project, which runs automated zone requests against top-level domains in order to act as an historical archive, the Norks reconfigured one of their nameservers for the .kp space and …
Kieren McCarthy, 21 Sep 2016
Mad Saudi

Microsoft redfaced after Bing translation cockup enrages Saudis

A snafu with the translation engine in Microsoft's Bing search engine has landed Redmond in hot water with the Saudi authorities. Over the weekend, Saudi Arabian users found that when they typed the Arabic word Daesh – the name of the medieval terror bastards currently losing their battle for a caliphate in the Middle East – …
Iain Thomson, 30 Aug 2016

Chinese CA hands guy base certificates for GitHub, Florida uni

A Chinese certificate authority handed out a base certificate for GitHub and the Univerisity of Central Florida to a mere user in a significant security blunder. British Mozilla programmer Gervase Markham reported the incident on the browser baron's mailing list saying it occurred more than a year ago in July 2015 but went …
Darren Pauli, 29 Aug 2016
Smilin' Marv

Cisco confirms two of the Shadow Brokers' 'NSA' vulns are real

It's looking increasingly likely that the hacking tools put up for auction by the Shadow Brokers group are real – after Cisco confirmed two exploits in the leaked archive are legit. The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall …
Iain Thomson, 17 Aug 2016
Monty Python sketch: Nobody expects the Spanish Inquisition

Nobody expects... a surprise haemorrhoid operation

Decades of authoritarian one party rule have perhaps reduced one man's ability to question authority as a Chinese bloke awaiting the birth of his child was erroneously whisked in for a haemorrhoidectomy. Doctors at Shenyang Hunnan Xinqu Hospital mistook Mr Wang for another chap with a bad case of the pink grapes and whisked …
Paul Kunert, 11 Aug 2016

Patch your vBulletin forum – or get popped

If you've got a vBulletin forum, get patching – another security flaw has been found in the widely used web message board software. The patches address a pre-authentication server-side request forgery vulnerability (CVE-2016-6483) in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3. Attackers can exploit the bug to …
Linux hacking team

Linux security backfires: Flaw lets hackers inject malware into downloads, disrupt Tor users, etc

Analysis A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more. This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs. The TCP/IP networking …
Iain Thomson, 10 Aug 2016

Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea

Updated Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder. These skeleton keys can be used to install non-Redmond operating systems on locked-down computers. In other words, on devices that do not allow you to disable Secure …
Chris Williams, 10 Aug 2016

How many zero-day vulns is Uncle Sam sitting on? Not as many as you think, apparently

DEF CON While some fear the US government is hoarding a vast pool of zero-day security vulnerabilities, the reality is that it probably holds just a few dozen, according to a study by Columbia University. In a presentation at the DEF CON hacking conference in Las Vegas today, Jason Healey, senior research scholar in the university's …
Iain Thomson, 05 Aug 2016

Users of secure chat app Telegram popped after possible nation-state attack

Black Hat An attack group known for rudimentary phishing scams and having operational security so bad their servers were popped by Check Point has compromised a dozen Telegram accounts and gained phone numbers for a further 15 million, possibly with state assistance. Telegram is a well-regarded end-to-end encrypted chat client used by …
Darren Pauli, 04 Aug 2016
SMB sniffing

Reminder: IE, Edge, Outlook etc still cough up your Windows, VPN credentials to strangers

Updated Microsoft software still leaks usernames and password information to strangers' servers – thanks to an old design flaw in Windows that was never properly addressed. These details can be used to potentially unmask VPN users and commandeer Windows accounts. They can be obtained simply by tricking victims into visiting malicious …
Iain Thomson, 02 Aug 2016

300 million pelicans? Pah. What 6 billion plastic bags really weigh

The splash story on one Sunday newspaper breezily informed us Brits used six billion fewer plastic bags this year than last, and that these weighed the same as “three million pelicans” – a grave naughtiness committed before El Reg's Standards Soviet. Last Saturday's edition of the Daily Mail featured the screaming splash …
Gareth Corfield, 02 Aug 2016

123-Reg goes TITSUP – again

Updated It seems the wheels of 123-Reg's clown vehicle have fallen off once again. The UK-based web host's website is out of action and customers are reporting a lack of email access. One reader got in touch to say: "Over the past month or so the email service offered by 123-Reg has been up and down and very poor for this small …
Kat Hall, 02 Aug 2016
Defeated-looking young man puts his head against table in front of laptop and pile of papers in conference room. Pic via Shutterstock

IPO spews email addresses to hundreds of recipients. Twice

The department entrusted with the protection of corporate data is seemingly somewhat less bothered when it comes to guarding personal info. The Intellectual Property Office yesterday made the classic schoolboy error of sending out an email containing hundreds of recipients in the 'to' field. Realising its blunder minutes …
Kat Hall, 15 Jul 2016
Defeated-looking young man puts his head against table in front of laptop and pile of papers in conference room. Pic via Shutterstock

Software bug costs Citigroup $7m after legit transactions mistaken for test data for 15 years

A programming blunder in its reporting software has led to Citigroup being fined $7m (£5m). According to the US Securities and Exchange Commission (SEC), that error [PDF] resulted in the financial regulator being sent incomplete "blue sheet" information for a remarkable 15 years – from May 1999 to April 2014. The mistake was …
Kieren McCarthy, 13 Jul 2016

Cracking Android's full-disk encryption is easy on millions of phones – with a little patience

Android's full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there's working code to prove it. Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system's contents with a friendly Python script without knowing …
Iain Thomson, 01 Jul 2016
Election form

London Mayor election day bug forced staff to query vote DB by hand

The confirmation of Sadiq Khan as Mayor of London last month was delayed for several hours by a database application bug. The announcement of the election's winner was pushed back from May 6 to May 7 as a result of the programming cockup, which was buried in the IntElect systems used to scan and tabulate citizens' votes. …
Shaun Nichols, 17 Jun 2016
Piledriver. Photo by Shutterstock

Virgin Media goes TITSUP* in South London due to painful piles

Thousands of South Londoners have been knocked offline due to a blunder by a construction worker slicing through a Virgin cable. On Tuesday afternoon, a major segment of Virgin Media's fibre cabling was cut by a pile driver on a construction site in Brixton. The cabling has yet to be repaired. Approximately 4,300 customers …
Kat Hall, 15 Jun 2016

Kazakhstan wins bid to get Mega IP address info on state secrets hackers

File storage site Mega has been ordered to hand over IP address information to the Kazakhstan Government that could identify a user alleged to have uploaded more than 100,000 stolen documents to the service. Hackers allegedly popped Kazakhstan networks last year, allegedly uploading the stolen documents to Mega's servers …
Darren Pauli, 13 May 2016
Broken CD with wrench

Malware scan stalled misconfigured med software, mid-procedure

A user or reseller who couldn't be bothered configuring their antivirus properly has hit the headlines for interrupting doctors trying to insert a vascular catheter into a patient. As the FDA's Adverse Event Report says, an hourly malware scan stalled a Merge Healthcare Hemo unit, which collects patient vital signs, displays …

This is what a root debug backdoor in a Linux kernel looks like

A root backdoor for debugging ARM-powered Android gadgets managed to end up in shipped firmware – and we're surprised this sort of colossal blunder doesn't happen more often. The howler is the work of Chinese ARM SoC-maker Allwinner, which wrote its own kernel code underneath a custom Android build for its devices. Its Linux …

ImageMagick exploits spotted

Malicious images exploiting server-hijacking holes in ImageMagick have been spotted and documented by web host biz CloudFlare. As we reported last week, ImageMagick – a tool used by countless websites to process images submitted by users – has a pretty bad bug that allows images to execute commands on vulnerable systems. The …
Chris Williams, 09 May 2016
Doctor Nick Riviera

London NHS trust fined £180,000 after second bcc fail on HIV email list

The Information Commissioner's Office (ICO) has handed down a £180,000 fine to an NHS trust in London after it revealed the email addresses of more than 700 users of an HIV information service. The data blunder occurred last year when a sexual health clinic at 56 Dean Street, which is operated as part of Chelsea and …

Woman charged with blowing AU$4.6m overdraft on 'a lot of handbags'

A 21-year-old woman has appeared in court in Sydney accused of taking advantage of a Westpac Bank glitch which saw her accidentally granted an unlimited overdraft against which she allegedly withdrew AU$4.6m, "part of which she spent on luxury handbags", as puts it. Chemical engineering student Christine Jiaxin Lee …
Lester Haines, 05 May 2016
Facepalm by cc 2.0 attribution generic

Oz gummint seeks public input on 'site block' guidelines

The Australian government has decided it could do with some public input regarding the use of a controversial site-blocking law. No, it's not the “block the pirates” law that came into force last year. Rather, it's Section 313 of the Telecommunications Act, a provision that received little attention until the Australian …

What was all that about a scary iMessage flaw? Your three-minute guide

Watercooler – On Sunday, we were warned that hackers could read our iMessages texts, photos and videos. Should I be worried? As it turns out: no. If you're even a little curious about cryptography and secure programming, though, it should interest and amuse you. On Sunday, the Washington Post learned that Apple had fixed a flaw in the …
Chris Williams, 23 Mar 2016
Badlock logo

Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug

April 12 – save the date if you're a Windows or Samba file server administrator. Stefan Metzmacher, a Samba core developer, has discovered what sounds like a pretty bad security bug, and he says it will be patched on that day next month. The vulnerability already has everything it needs to make a big splash: a name, Badlock; …
Chris Williams, 22 Mar 2016

Google spews critical Android patch as millions of gadgets hit by Linux kernel bug

Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices. The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18 – we're talking millions of gadgets and handhelds, here. The vulnerability is a privilege elevation that …
Darren Pauli, 22 Mar 2016
 French bulldog puppy wears plastic devil horns and cute expression. Photo by Shutterstock

FreeBSD crushes system-crashing bug

Sysadmins ought to patch their FreeBSD systems after an irritating bug was found in the kernel. A programming blunder involving integer signedness can be exploited by a logged-in user to crash a system. With the right parameters, you can trick the kernel into clearing too much of its heap memory with zeros via the sysarch …
John Leyden, 18 Mar 2016

Snowden WAS the Feds' quarry in Lavabit case, redaction blunder reveals

It was Edward Snowden's email account the FBI was targeting in its extraordinary legal case against Lavabit, we can now confirm. Lavabit ran an encrypted email service that Edward Snowden was thought to have used in 2013 to contact journalists about the top-secret NSA files he had in his possession. In documents published …
Kieren McCarthy, 17 Mar 2016

Bloke pockets $15k for spotting Facebook password-reset blunder

Facebook has slung US$15,000 in the direction of Anand Prakesh for discovering a serious bug on its beta servers. Late in February, Prakesh writes, he discovered that the company's beta sites didn't rate limit the PINs used for password resets. If you request a password reset via a PIN sent to your phone, after 10 or 12 …

Feds spank Asus with 20-year audit probe for router security blunder

Asus has settled its case with the US Federal Trade Commission (FTC) after hackers pwned nearly 13,000 home routers via an unpatched security flaw. The case arose in February 2014, when miscreants used an easily exploitable flaw in Asus's home router line to take control of 12,900 systems in the US. An investigation by the FTC …
Iain Thomson, 23 Feb 2016

Comodo's 'security' kit installed a lame VNC server on PCs on the sly

Google's Project Zero has found yet another blunder in Comodo's internet "security" software – a VNC server enabled by default with a predictable password. Earlier this month, Googler Tavis Ormandy pointed out that Comodo's custom web browser, dubbed Chromodo, was about as unsafe as a lace condom thanks to terrible security …
Iain Thomson, 18 Feb 2016
NASA image of solar flare

Good thing this dev quit. I'd have fired him. Out of a cannon. Into the sun

Line Break Roll up, roll up. It's your Wednesday dose of ridiculous code spotted in the wild. If you've seen some horrors, send over your tales, please, and we'll share them with our readers. We've had a great response so far, which perhaps is a damning indictment for the software engineering industry. It can't be all bad, though – …
Chris Williams, 17 Feb 2016

Patch ASAP: Tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants

A huge amount of Linux software can be hijacked by hackers from the other side of the internet, thanks to a serious vulnerability in the GNU C Library (glibc). Simply clicking on a link or connecting to a server can lead to remote code execution, allowing scumbags to steal passwords, spy on users, attempt to seize control of …
Iain Thomson, 16 Feb 2016

Council IT system goes berserk, packs off kids to the wrong schools

Brit families waiting to find out if their kids have been accepted into their secondary school of choice were bamboozled on Thursday by a computer blunder. Herefordshire Council's systems sent out a wedge of emails to parents offering their children places for the new school year – but the information was wrong. It appears …
Chris Williams, 12 Feb 2016

Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months

Web hosting biz Linode broke the security in its customers' virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. Nodes that installed Linode's Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during …
Chris Williams, 09 Feb 2016
Home Secretary Theresa May introduces draft Investigatory Powers Bill to MPs. Pic credit: Parliament TV

Home Office lost its workers' completed security vetting forms

The Home Office has admitted to The Register that among its data breach incidents last year was one in which security vetting documents disappeared from within secured government premises. Through the Freedom of Information Act, The Register has learned that the Home Office – responsible for the UK's domestic counter- …

You've seen things people wouldn't believe – so tell us your programming horrors

Line break Shellshock. Heartbleed. That CCTV storage firmware with a hardcoded password. We've all seen some really bad code. Maybe that's just me. Given that many of our sysadmin readers have poured in tales of fixing impossibly broken servers for our On-Call series, we know our software-wrangling readers have faced similar battles …
Chris Williams, 28 Jan 2016
broken hard drive

IRS 'inadvertently' wiped hard drive Microsoft demanded in audit row

The IRS has declined to produce data in a Freedom of Information Act (FOIA) battle between itself and Microsoft – because the taxmen deleted the information after receiving the information request. In a filing [PDF] to the US District Court of Western Washington this month, Uncle Sam's Internal Revenue Service said it would be …
Shaun Nichols, 21 Jan 2016

Cisco patch day fixes CGI script blunder, hard-coded credentials

If you've got a Cisco Unified Computing System or a Firepower 9000 Series appliance, get busy patching. The Borg says it slipped up and let a CGI script make unprotected calls to shell commands. By fooling around with the URL, an attacker would be able to send arbitrary commands to the affected kit. All versions of UCS …
Tommy Lee Jones delivers implied facepalm. From No Country for Old Men  Copyright Miramax Pictures. 2007.

FTC apologizes for leaking attendee details … to privacy conference

The Federal Trade Commission (FTC) has put in a strong bid for the 2016 Ironic Idiocy Award when they sent the details of every attendee to one of its conferences to every other attendee. The conference? Privacy CON. The conference, taking place today in Washington DC, is heavy on university research and covers topics like " …
Kieren McCarthy, 14 Jan 2016

Evil OpenSSH servers can steal your private login keys to other systems – patch now

Malicious OpenSSH servers can silently steal people's private SSH keys as they try to login, it emerged today. This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user's computer – allowing crooks to jump from server to server. The security cockup, present in the …
Iain Thomson, 14 Jan 2016

Video game retailer GAME in email marketing FAIL

Hundreds of UK video game fans became unwitting recipients of each others’ email addresses this week following a messaging cock-up at online retailer El Reg learned of the snafu through reader David, who seems to have been something of a patient zero in the minor privacy flap. Human error meant that “To:” field …
John Leyden, 14 Jan 2016