Articles about Blunder

fail

Comodo's 'security' kit installed a lame VNC server on PCs on the sly

Google's Project Zero has found yet another blunder in Comodo's internet "security" software – a VNC server enabled by default with a predictable password. Earlier this month, Googler Tavis Ormandy pointed out that Comodo's custom web browser, dubbed Chromodo, was about as unsafe as a lace condom thanks to terrible security …
Iain Thomson, 18 Feb 2016
NASA image of solar flare

Good thing this dev quit. I'd have fired him. Out of a cannon. Into the sun

Line Break Roll up, roll up. It's your Wednesday dose of ridiculous code spotted in the wild. If you've seen some horrors, send over your tales, please, and we'll share them with our readers. We've had a great response so far, which perhaps is a damning indictment for the software engineering industry. It can't be all bad, though – …
Chris Williams, 17 Feb 2016

Patch ASAP: Tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants

A huge amount of Linux software can be hijacked by hackers from the other side of the internet, thanks to a serious vulnerability in the GNU C Library (glibc). Simply clicking on a link or connecting to a server can lead to remote code execution, allowing scumbags to steal passwords, spy on users, attempt to seize control of …
Iain Thomson, 16 Feb 2016

Council IT system goes berserk, packs off kids to the wrong schools

Brit families waiting to find out if their kids have been accepted into their secondary school of choice were bamboozled on Thursday by a computer blunder. Herefordshire Council's systems sent out a wedge of emails to parents offering their children places for the new school year – but the information was wrong. It appears …
Chris Williams, 12 Feb 2016

Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months

Web hosting biz Linode broke the security in its customers' virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. Nodes that installed Linode's Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during …
Chris Williams, 09 Feb 2016
Home Secretary Theresa May introduces draft Investigatory Powers Bill to MPs. Pic credit: Parliament TV

Home Office lost its workers' completed security vetting forms

The Home Office has admitted to The Register that among its data breach incidents last year was one in which security vetting documents disappeared from within secured government premises. Through the Freedom of Information Act, The Register has learned that the Home Office – responsible for the UK's domestic counter- …

You've seen things people wouldn't believe – so tell us your programming horrors

Line break Shellshock. Heartbleed. That CCTV storage firmware with a hardcoded password. We've all seen some really bad code. Maybe that's just me. Given that many of our sysadmin readers have poured in tales of fixing impossibly broken servers for our On-Call series, we know our software-wrangling readers have faced similar battles …
Chris Williams, 28 Jan 2016
broken hard drive

IRS 'inadvertently' wiped hard drive Microsoft demanded in audit row

The IRS has declined to produce data in a Freedom of Information Act (FOIA) battle between itself and Microsoft – because the taxmen deleted the information after receiving the information request. In a filing [PDF] to the US District Court of Western Washington this month, Uncle Sam's Internal Revenue Service said it would be …
Shaun Nichols, 21 Jan 2016
band_aid_648

Cisco patch day fixes CGI script blunder, hard-coded credentials

If you've got a Cisco Unified Computing System or a Firepower 9000 Series appliance, get busy patching. The Borg says it slipped up and let a CGI script make unprotected calls to shell commands. By fooling around with the URL, an attacker would be able to send arbitrary commands to the affected kit. All versions of UCS …
Tommy Lee Jones delivers implied facepalm. From No Country for Old Men  Copyright Miramax Pictures. 2007.

FTC apologizes for leaking attendee details … to privacy conference

The Federal Trade Commission (FTC) has put in a strong bid for the 2016 Ironic Idiocy Award when they sent the details of every attendee to one of its conferences to every other attendee. The conference? Privacy CON. The conference, taking place today in Washington DC, is heavy on university research and covers topics like " …
Kieren McCarthy, 14 Jan 2016

Evil OpenSSH servers can steal your private login keys to other systems – patch now

Malicious OpenSSH servers can silently steal people's private SSH keys as they try to login, it emerged today. This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user's computer – allowing crooks to jump from server to server. The security cockup, present in the …
Iain Thomson, 14 Jan 2016
steam_dota_character_648

Video game retailer GAME in email marketing FAIL

Hundreds of UK video game fans became unwitting recipients of each others’ email addresses this week following a messaging cock-up at online retailer GAME.co.uk. El Reg learned of the snafu through reader David, who seems to have been something of a patient zero in the minor privacy flap. Human error meant that “To:” field …
John Leyden, 14 Jan 2016

Patch now: VMware Tools for Windows root holes fixed in update

VMware sysadmins, get patching: the virtualisation outfit has released updates to its ESXi, Fusion, Player and Workstation software to block out a privilege-escalation vulnerability. The patch applies to VMware Windows Workstation versions before 11.1.2, Player and Fusion versions prior to 7.1.2, and various ESXi versions …
I would vote republican but I crave brains by https://www.flickr.com/photos/clarkmackey/  cc 2.0 attribution generic https://creativecommons.org/licenses/by/2.0/

Password-less database 'open-sources' 191m US voter records on the web

Updated A database with personal information on 191,337,174 US voters has apparently been found unprotected online by a security researcher in Texas. Austin-based Chris Vickery – who earlier this month found records on 3.3 million Hello Kitty users splashed online – says the wide-open system contains the full names, dates of birth, …
Iain Thomson, 28 Dec 2015
Shawshank Redemption

Software bug sets free thousands of US prisoners too early

Washington State Department of Corrections is facing an investigation after it released more than 3,200 prisoners too early due to a software bug. "These were serious errors with serious implications," Governor Jay Inslee said in a statement. "When I learned of this I ordered [the Department of Corrections] to fix this, fix it …
Iain Thomson, 23 Dec 2015
Xen logos

Xen Project blunder blows own embargo with premature bug report

The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.” The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason. Xen is very widely used by big cloud …
Simon Sharwood, 23 Dec 2015
The Register Roundtable Room at The Soho Hotel

CIOs, what does your nightmare before Christmas look like?

CIO Manifesto We gathered 14 of the UK’s finest IT leaders in a secure bunker (elegant room in the Soho Hotel -Ed.) for the last Register Round Table of 2015 to hear their tales of when good IT goes bad. The short version is the thing they fear most is you, dear reader, your screw-ups, your documentation, your thefts, your dodgy code, your …
Joe Fay, 22 Dec 2015

ICO slaps HIV support group with £250 fine following email blunder

An HIV support group responsible for inadvertently revealing patient identities via an email blunder has been slapped with a £250 fine by the Information Commissioner's Office. The Bloomsbury Patient Network sent out a newsletter to 200 patients via email using a list of addresses in the "to" field rather than the "bcc" field …
Kat Hall, 18 Dec 2015
Bagpiper in a kilt. Photo via Shutterstock

'Powerful blast' at Glasgow City Council data centre prompts IT meltdown

The catastrophic service outage at Glasgow City Council's data centre, caused after its IT systems servers were taken down by a fire suppressant accidentally going off, is continuing to cause widespread havoc for staff and the public. The embarrassing blunder was caused by a faulty air conditioning unit setting off its fire …
Kat Hall, 17 Dec 2015

Windows' authentication 'flaw' exposed in detail

Updated Security researcher "dfirblog" has forensically examined what he calls a "devastating" flaw in Windows' Kerberos authentication system. The vulnerability cannot be fixed, and the only solution is to use Microsoft's Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post …
Kieren McCarthy, 15 Dec 2015

Lenov-lol, a load of Tosh, and what the Dell? More bad holes found in PC makers' bloatware

Lenovo laptops and PCs can be hijacked by visiting a malicious website – and Dell and Toshiba machines suffer vulnerabilities, too, we're told. If you're running the Lenovo Solution Center bundled with Lenovo gear, and you browse by an evil webpage, scripts on that page can run code with full system privileges on your computer …
Chris Williams, 05 Dec 2015

VPN users menaced by port forwarding blunder

Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users' real IP addresses. VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it "port fail", and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP ( …
Darren Pauli, 30 Nov 2015

HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking

More than 26,000 Cisco devices sold by Australia's dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates. The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos. Cisco warns that …
Darren Pauli, 27 Nov 2015

Microsoft rides to Dell's rescue, wrecks rogue root certificate

Microsoft has killed Dell's user-pwning root certificate and its self-reinstalling .dll with its antivirus Defender tool. The certificate is a big blunder because it opens a universal means for attackers on public networks to hose new Dell laptops. That's because bright minds planted a self-signed root CA certificate and …
Darren Pauli, 26 Nov 2015

Why Microsoft yanked its latest Windows 10 update download: It hijacked privacy settings

Microsoft withdrew downloads for its latest official edition of Windows 10, version 1511, after it meddled with people's privacy settings. Earlier we reported how Redmond disappeared the update, which could be fetched via the official media creation tool (MCT). The download became available in mid-November after Microsoft …
Chris Williams, 25 Nov 2015
Dell Inspiron 15-7537

Superfish 2.0: Dell ships laptops, PCs with huge internet security hole

Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …
Shaun Nichols, 23 Nov 2015
Valkyrie robot head

NASA palms off blunder-bot Valkyrie for top US universities to fix

It can put Man on the Moon, but NASA has turned to universities to get its clumsy humanoid robot Valkyrie up to scratch. The robot, now dubbed R5, competed two years ago in the DARPA robotic challenge, and tied with two other teams for last place after failing to complete any of the specified tasks. Now the agency has awarded …
Iain Thomson, 20 Nov 2015

Patch this braXen bug: Hypervisor hole lets guest VMs hijack hosts

The Xen hypervisor project today released nine security patches that should be applied ASAP – particularly the one that stops guest virtual machines seizing control of host servers. That vulnerability – XSA-148 – can be exploited by a paravirtualized guest to manipulate the memory layout of the underlying system, and …
Chris Williams, 29 Oct 2015

Cobweb 'fesses up to failure to renew SSL certificate

Cloudy service provider Cobweb Solutions has 'fessed up to failing to renew its SSL certificate, leaving a number of its customers potentially exposed. The lack of a protocol for secure communication only came to light after one of Cobweb's customers got in touch to report the issue. Adrian Smith, security consultant, …
Kat Hall, 23 Oct 2015
EE Power Bar

EE reports flat Q3 sales, keeps mum on Power Bar recall debacle

EE reported flat third-quarter revenues to the City this morning and tried to ease investors by promising – once again – that it would do a better job on customer service. During the three-month period ended 30 September, the mobile carrier was battling a major product recall. But it made no mention of the Power Bar blunder …
Kelly Fiveash, 21 Oct 2015

'10-second' theoretical hack could jog Fitbits into malware-spreading mode

Updated A vulnerability in FitBit fitness trackers first reported to the vendor in March could still be exploited by the person you sit next to on a park bench while catching your breath. The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and …
Darren Pauli, 21 Oct 2015
An angry mob

Microsoft now awfully pushy with Windows 10 on Win 7, 8 PCs – Reg readers hit back

Updated Have you noticed Microsoft being a little too eager in pushing its Windows 10 upgrade lately? You're not alone. The Reg news tip inbox has been awash the past few days with readers reporting that the newest version of Windows has been forcing itself onto computers amid other operating system updates, and sometimes even …
Shaun Nichols, 15 Oct 2015

UK's Lloyds Banking Group scrambles to patch account-snooping security hole

Lloyds Banking Group – a major financial outfit in the UK – has closed a security flaw that potentially exposed banking records on tens of thousands of Brits. The vulnerability would have allowed criminals to open an account using only a person's name, address, and date of birth, and then view other accounts that person had …
Shaun Nichols, 15 Oct 2015

Kill Flash: Adobe says patch to fix under-attack hole still days away

Just a day after its monthly batch of security updates, Adobe has confirmed it will issue an emergency critical patch for Flash next week. With somewhat regrettable timing, given Adobe's patching cycle, Trend Micro's security researchers announced on Tuesday that it had discovered in the plugin a vulnerability, CVE-2015-7645, …
Iain Thomson, 15 Oct 2015

Outlook.com had classic security blunder in authentication engine

Synack senior security researcher Wesley Wineberg has received US$25,000 from Microsoft for quietly disclosing a bug that allows any Hotmail account to be hijacked. The cross-site request forgery vulnerability means that any user visiting a malicious page can have their accounts hijacked without further interaction. The since …
Darren Pauli, 09 Oct 2015
TOR Logo

Fast, wireless access to Tor? Just maybe

Portable Tor routers have a serious image problem. But one of only two companies to have actually done it right plans to fix that.Should you believe the hype this time around? Quite possibly, yes. It was only a year ago that the tech community got excited about the idea of a small, lightweight router that would connect you …
Kieren McCarthy, 06 Oct 2015
Wall of Spam. Pic: freezelight

Virgin Media's SPAM-AGEDDON 'fix' silences mailboxes

Virgin Media customers who are Ntlworld.com account holders have been struggling – one way or another – to access their emails for days now. Subscribers affected by the ISP's migration from Google's Gmail service were first forced to wade through hundreds of SPAM messages to get to their emails, only to later find that over- …
Kelly Fiveash, 05 Oct 2015

iOS 9 security blooper lets you BYPASS PINs, eye up photos, contacts

Vid A security flaw in iOS 9 allows anyone who has a locked Apple iThing in their hand to view its contacts and photos without having to enter a passcode. A chap called Jose Rodriguez has posted a YouTube video demonstrating the design blunder, which exploits Siri to access information on the handset from the PIN unlock screen. …
Shaun Nichols, 23 Sep 2015
Amazon CEO Jeff Bezos

AWS outage knocks Amazon, Netflix, Tinder and IMDb in MEGA data collapse

Amazon's Web Services (AWS) have suffered a monster outage affecting the company's cloudy systems, bringing some sites down with it in the process. The service disruption hit AWS customers including Netflix, Tinder and IMDb, as well as Amazon's Instant Video and Books websites. The outage may also explain Airbnb's current …
Kelly Fiveash, 20 Sep 2015
Google Chrome 64-bit does not work in the latest WIndows 10 build

Crash Google Chrome with one tiny URL: We cram a probe in this bug

You can crash the latest version of Google Chrome with a simple tiny URL. Just rolling your mouse over it in a page, launching it from another app such as an email client, or pasting it into the address bar, will kill either that tab or the whole browser. It's perfect for pranking friends by sending it to them in emails and …
Chris Williams, 20 Sep 2015
Sad iPhone

Apple iPhones, iPads BRICKED by iOS 9's 'slide-to-upgrade' bug

Apple has published a workaround after some iPhone and iPad users were left stranded in the middle of the iOS 9 update process. The Cupertino giant has acknowledged multiple complaints that devices were unable to progress past the "Slide to Upgrade" screen when moving to the latest version of iOS. Apple's remedy: wipe your …
Shaun Nichols, 18 Sep 2015
SHUT UP!

Patch Bugzilla! Anyone can access your private bugs – including your security vulns

If you or your organization is running Bugzilla, and you're using email-based permissions, make sure you've updated to the latest version – namely 5.0.1, 4.4.10, or 4.2.15. That's because someone's found a way to easily access private bugs in your codebase – such as critical security holes you're still working on to fix. An …
Chris Williams, 17 Sep 2015
Skull in an Apple by https://www.flickr.com/photos/walkn/ https://creativecommons.org/licenses/by/2.0/  CC 2.0 attribution generic

Shedload of security bugs squashed in iOS 9 – what the hell went wrong with iOS 8?

Apple's latest version of iOS – iOS 9 – is out today with new features and security fixes. A lot of security fixes: 101 potentially exploitable bugs, we count. If you've got a compatible device, you may well want to upgrade sooner rather than later – certainly before people start trying to exploit these security holes. The …
Team Register, 16 Sep 2015
Crop of doctor with pen and clipboard

ICO probes NHS clinic's data blunder that exposed HIV+ status of 800 patients

The ICO is looking into a data blunder at 56 Dean Street, a sexual health clinic operated as part of Chelsea and Westminster NHS Foundation Trust, after it emailed the HIV positive status of nearly 800 patients to the entire group. The data breach was committed through the email circulation of the clinic's "OptionE" newsletter …

OH DEAR, WHSmith: Sensitive customer data spaffed to world+dog

Updated British newsagent WHSmith has a major privacy hole on its website, after its magazine subscription service began emailing everyone on the mailing list. The data protection howler has been flagged up on Twitter by plenty of angry customers who fear having their personal information plundered by wrongdoers. However, despite the …
Kelly Fiveash, 02 Sep 2015

Dropbox DROPS BOX as service GOES TITSUP worldwide

Dropbox suffered a major outage across the globe today – the company blamed "routine internal maintenance" for the significant wobble, which appears to be ongoing. At time of publication, Dropbox was claiming on its official status page that services were running normally again. However, a quick scan of "Dropbox down" tweets …
Kelly Fiveash, 30 Aug 2015
Small screen multitasking

Yet another Android app security bug: This time 'everything is affected'

Yet another potentially serious security flaw has been revealed in Android. This time the problem involves the mobile operating system's ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month. The latest security blunder opens …
John Leyden, 20 Aug 2015

Another root hole in OS X. We know it, you know it, the bad people know it – and no patch exists

If you're using OS X Yosemite, watch out for malware exploiting a new way to take complete control of your Mac. A vulnerability has been found in Apple's operating system that allows ordinary software on the computer to gain all-powerful root privileges, allowing dodgy apps to install new programs, create users, delete users, …
Chris Williams, 18 Aug 2015
android logo

Google flubs patch for Stagefright security bug in 950 million Androids

Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed. The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable …
Iain Thomson, 13 Aug 2015
EE Power Bar

Exploding Power Bars: EE couldn't even get the CE safety mark right

Exclusive EE failed to label its "Power Bar" phone charging devices with the correct marking to show that the product complied with European safety directives, The Register has learned. The embarrassing cockup comes after we revealed that EE management had been warned about safety risks with its Power Bar, ahead of its launch in April …
Kelly Fiveash, 13 Aug 2015