Feeds

Articles about Security

John Brennan protests TSA security by going starkers

Feds investigate Homeland Security background checker security breach

A contractor running background checks for the US Department of Homeland Security has suffered a potentially embarrassing security breach. The security snafu at USIS reportedly led to the theft of some DHS employees’ personal information. The recently discovered breach prompted DHS to suspend all work with USIS, pending the …
John Leyden, 05 Nov 2014
Drawing of brain

Europe's cyber security agency wants pick your infosec BRAINS

Do you work in the ICT sector? If so, Europe’s top cyber security agency wants you. ENISA (The European Union Agency for Network and Information Security) is looking for 20 experts to join its “Permanent Stakeholders’ Group”. Self-declared experts who work in the ICT sector for fixed and mobile electronic communications …
Jennifer Baker, 07 Nov 2014
hands waving dollar bills in the air

Hewlett Foundation lays out MEELLIONS on security

The Hewlett Foundation has found US$45m in its other jacket, and has anointed three lucky US universities to spend on security research. MIT, Stanford and UC Berkeley will share the simoleons, in a program MIT says is designed to generate a “robust marketplace of ideas”, whatever that is. On a more pragmatic basis, the …
Our artist's impression of how BA handles lost baggage complaints

iPAD-FONDLING fanboi sparks SECURITY ALERT at Sydney airport

An iPad-obsessed bloke reportedly triggered an irritating security alert at Sydney Airport in Australia earlier today. The passenger apparently skipped the screening process and instead used an exit at the airport's Terminal 3, which is used for domestic flights, because his head was buried deep in his fondleslab. It would seem …
Kelly Fiveash, 27 Sep 2014

Home Depot ignored staff warnings of security fail laundry list

Home Depot is facing claims it ignored security warnings from staff, who say prior to its loss of 56 million credit cards, it failed to update anti virus since 2007, did not consistently monitor its network for signs of attack, and failed to properly audit its eventually-hacked payment terminals. The fixer-upper retail giant …
Darren Pauli, 22 Sep 2014
Hacked sarcasm

Biz coughs up even less for security, despite mega breach losses

Information security budgets are falling despite a continuing rise in the number of attacks, according to a new report by management consultants PwC. Detected security incidents have increased 66 per cent year-over-year since 2009, reaching the equivalent of 117,339 attacks per day, according to PwC's "The Global State of …
John Leyden, 01 Oct 2014
closed_sign shut down under collapsed liquidation

Akamai warns: SMB security remains major risk

Security offerings for small businesses need to look more like those offered to enterprises, according to Akamai global security senior director Fran Trentley. Speaking to The Register while in Sydney for the Gartner Security & Risk Management Summit, Trentley said SMBs are increasingly seen as attack targets, and that poses a …
padlock

Boffins propose security shim for Android

An international group of researchers believes Android needs more extensible security, and is offering up a framework they hope either Google or mobe-makers will take for a spin. The project is described in this paper slated for the Usenix Security Symposium on Friday in San Diego. The researchers from Germany's Technische …

NIST wants better SCADA security

America's National Institute of Standards and Technology (NIST) wants to take a hand in addressing the SCADA industry's chronic insecurity, by building a test bed for industrial control systems. The Reconfigurable Industrial Control Systems Cybersecurity Testbed is only in its earliest stages. According to this RFI, the …

Amazon flicks switch on CloudFront security features

Amazon has beefed up security on its CloudFront services, adding Perfect Forward Secrecy, OCSP stapling and session tickets to its SSL support. The company describes the new AWS features in full in this blog post. Session tickets are designed to improve performance, particularly in the case of an interrupted session between …

Moscow, Beijing poised to sign deal on joint cyber security ops

Moscow and Beijing will next month sign a deal to commence joint information security projects and operations, and to increase cooperation in the space, according to a popular Russian newspaper with ties to President Vladimir Putin. Kommersant owned by Russia's richest man and President Putin ally Alisher Usmanov reported ( …
Darren Pauli, 24 Oct 2014

GCHQ grants security clearance to Samsung's Knox mobe security

The official containerisation solution for security on Samsung phones and tablets has passed muster with GCHQ. It’s now deemed safe enough for UK government employees to get a Galaxy Note 3, Galaxy S3 S4 or Galaxy S5 all of which run the Korean firm's KNOX software. This is only to the OFFICIAL (PDF) level of security. This is …
Simon Rockman, 16 May 2014

Do your execs take mobile security seriously?

One of the findings emerging from our latest poll is that many of you are highlighting a lack of exec awareness and air cover when it comes to mobile security. This in turn appears to translate to a lack of funding to put the systems in place to cope with new devices, BYOD and so on. Is this something you are experiencing? If …
Dale Vile, 11 Jul 2014

Microsoft brings own security info exchange to the world

Microsoft has announced a “a security and threat information exchange platform for analysts and researchers working in cybersecurity.” Dubbed “Interflow”, Redmond says the new service is “a distributed system where users decide what communities to form, what data feeds to bring to their communities, and with whom to share data …
Simon Sharwood, 24 Jun 2014
Spam image

Microsoft to shutter security email feed on July 1

Microsoft will suspend a 12 year-old email mailing list that offers news of security updates, in a decision possibly tied to tougher Canadian anti-spam laws. As of July 1st 2014, sysadmins and infosec bods will get their news from a Redmond RSS feed to receive update of new Microsoft security alerts. "As of July 1, 2014, due to …
Darren Pauli, 29 Jun 2014
bug on keyboard

Cisco slurps security scanner

Cisco has continued the expansion of its security portfolio with the acquisition of malware analysis outfit ThreatGRID. The acquisition target was founded in 2012, one of the then-burgeoning number of companies that pushed malware analysis, threat intelligence, and security analytics into the cloud (supplemented by an on-premise …
Cloud security

Xen security bug, you say? Amazon readies GLORIOUS GLOBAL CLOUD REBOOT

Amazon will tomorrow begin a bloody global reboot of its Elastic Compute Cloud (EC2) compute instances after it found a security bug within the Xen virtualisation platform. The rolling minutes-long reboots would be completed by 30 September. Amazon did not name the reason for the upgrade, widely thought to be a security issue …
Darren Pauli, 25 Sep 2014

Got mobile security sussed yet? No fibbing, now

First we were told that BYOD would define the future of end user computing. Now many are saying that the use of personal devices for work isn't the way forward after all. While the truth is probably somewhere in between – BYOD for some users, but company devices for others – most agree that the use of mobile technology is set to …
Dale Vile, 03 Jul 2014

BlackBerry: We'll buy Angela Merkel's phone security company. HA!

BlackBerry has bought privately held German firm Secusmart as part of its drive to become the handset provider of choice for security-conscious clients such as government agencies and big businesses. Secusmart, which specialises in voice and data encryption, was already a partner of the one-time business phone giant, providing …
GCHQ Benhall doughnut aerial view

Don't assume public trusts you, MI5. 'Make a case' for surveillance – Former security chief

Spooks and security agencies must openly debate the public's concerns over surveillance following the Snowden revelations, former head of MI5 and current thriller writer Stella Rimington has said. "It is not enough nowadays for intelligence services to say we have your best interests at heart," she told delegates at Microsoft's …
Kat Hall, 10 Nov 2014

Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade

Mozilla has released a bug-and-security update for Firefox, with 11 security fixes, three of them critical. Chief among the security patches is a use-after-free bug the organisation says was discovered by one James Kitchener. From the advisory: “Mozilla community member James Kitchener reported a crash in DirectWrite when …

Bugzilla code critters blab your security sinners, warns Mozilla

The Mozilla Foundation has warned of a number of recently discovered vulnerabilities in its Bugzilla bug-tracking tool that could give attackers access to sensitive information about software projects. One particularly serious flaw allows attackers to bypass email verification phase when creating new Bugzilla accounts, meaning …
Neil McAllister, 07 Oct 2014
Sky's Sainsbury's iPad shopping trolley

Target, Home Depot and UPS attacks: Dude, you need to rethink point-of-sale security

A new report on point-of-sale malware presents the most detailed examination of the malicious code behind high-profile attacks against US retailers to date. Cyphort Labs’ in-depth look focuses on Target, Home Depot and UPS breaches and involved an analysis of BlackPOS, FrameworkPOS and Backoff malware samples. The researchers …
John Leyden, 12 Nov 2014
Disney's Beagle Boys

Kmart apologizes to customers after month-long security breach

Discount store Kmart admitted some customers’ payment cards have likely been “compromised” as it became the latest mega retailer to fall victim to cyber-crims. The parent of the chain, Sears Holding Corp, said the IT team discovered late Thursday that its payment systems had been breached, and further investigations indicate …
Paul Kunert, 12 Oct 2014

Apple releases MEGA security patch round for OS X, Server and iTunes

While the world+dog was distracted by all the shiny new iThings Tim Cook was showing off on Thursday, Apple quietly puMPED out patches for 150 CVE-issued bugs in its server and desktop operating systems and the iTunes media player. The newly released OS X Yosemite, version 10.10, includes a fairly hefty patch load, more so than …
Iain Thomson, 17 Oct 2014

Xen says its security policies might be buggier than its software

The Xen project has asked for help to ensure future bugs aren't as disruptive as the XSA-108 flaw that saw major cloud operators reboot an awful lot of servers. XSA-108 emerged in late September and saw the likes of AWS, SoftLayer and Rackspace patch and reboot many servers. Such reboots are just the kind of thing that cloud …
Simon Sharwood, 23 Oct 2014
Mobile phone stolen by pickpocket

AT&T fires insider for slurping customers' social security numbers, driver licenses and more

AT&T has warned subscribers that a rogue staffer rifled through the telco's customer database without authorization. The telecoms giant said one of its workers pulled up sensitive information – including social security numbers – and was duly fired for breaking the corp's privacy rules. According to a letter [PDF] to customers …
Shaun Nichols, 06 Oct 2014

Adobe CSO offers Oracle security lesson: Go click-to-play

Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button …
Darren Pauli, 16 Oct 2014

Home Depot: Someone's WEAK-ASS password SECURITY led to breach

Hackers gained access to Home Depot's network via a third-party vendor system, according to preliminary results of an investigation into the September mega-breach. Cybercrooks used access to the US retail giants' network gained via ineffective password security at an unnamed third party vendor's system to run a stepping-stone …
John Leyden, 07 Nov 2014

Storage AND security? It must be a Reg Live Chat

What: Storage, security and the 2014 show When: Live Chat, 2pm, 20 June 2014, London CIOs, IT managers and sysadmins face a host of challenges at the moment as they try to exploit and tame the same technologies that their users are adopting under the radar. At the same time, converging disciplines mean that they may end up …
David Gordon, 04 Jun 2014
padlock

CloudFlare ditches private SSL keys for better security

CloudFlare has announced the outcome of what it says is two years' work – switching on Keyless SSL – which lets customers encrypt their web traffic via the company's services without having to hand over their private SSL keys. In this blog post announcing the service, cofounder and CEO Matthew Prince explains that “the only way …
Thomas Drake

NSA leaker Thomas Drake says Oz security reforms are 'scary'

Thomas Drake and Jesselyn Radack Thomas Drake and Jesselyn Radack National Security Agency whistleblower Thomas Drake says Australia's looming national security reforms makes him 'shudder', labelling them ambiguous and a plot to stamp out legitimate public-interest whistleblowing. Drake, who Edward Snowden said was his …
Darren Pauli, 04 Aug 2014
Flytrap

Security chap writes recipe for Raspberry Pi honeypot network

Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now one security bod has devised a means to build a battalion of the devices from Raspberry Pis. University of Arizona student Nathan Yee (@nathanmyee) has published instructions for building cheap hardware …
Darren Pauli, 01 Aug 2014

Quantum key security steps outside the box

US researchers have come a step closer to turning quantum key distribution (QKD) into a “black box” that can be made provably secure regardless of whose boxes sit at each end of a link. In creating a quantum crypto implementation, researchers rely on models of the systems they've created as proofs of their security. That means …

AWS levels up in game of government security – and now one step below classified access

Amazon Web Services (AWS) has leveled up its US government security certification, winning the right to handle more sensitive work from the Department of Defense (DoD). The company has, of course, blogged the news that it has won provisional authorization to operate levels three to five of the DoD's cloud security model. Level …
Simon Sharwood, 21 Aug 2014

Cisco kicks off security kit/software/cloud combo

Cisco has added threat management to its portfolio, announcing Managed Threat Defense which it says brings realtime security to its customers. Since “cloud everywhere” is the base assumption of practically every new launch, the Borg feels constrained to stipulate that Managed Threat Defense includes an “on-premise” solution, …

EFF sues NSA over snoops 'hoarding' zero-day security bugs

Intelligence agencies are among the most prolific buyers of zero-day computer security flaws that can be used to spy on enemies foreign and domestic, or so it's claimed – and the Electronic Frontier Foundation (EFF) has launched a lawsuit to find out what exactly they are doing with them. "Since these vulnerabilities potentially …
Iain Thomson, 02 Jul 2014
management management4

Security: Sweet brief for rare man Roche, new boss of Fujitsu TS

Fujitsu company veteran Tom Roche has grabbed the chieftain's chair at the Technology Solutions unit with a specific brief to boost security sales. The post became vacant last month when former boss Michael Keegan was made overlord of UK ops for Fujitsu, replacing Duncan Tait who was lifted to the head of the EMEIA organisation …
Paul Kunert, 18 Jun 2014

Etsy security rule #1: Don't be a jerk to devs

Businesses should deploy bug bounty programs, phish their staff and launch intelligent attacks against their networks, Zane Lackey says. The now chief security officer of SignalSciences ran through the experience of building and adapting Etsy's security team. Lackey (@zanelackey) and his colleagues, who left the hipster bazaar …
Darren Pauli, 02 Oct 2014

Kaspersky warns of IMPOSTER mobile security apps

Security firm Kaspersky Lab is warning users following the discovery of a set of mobile malware apps that impersonate its products. The firm said that unknown malware writers have been crafting applications that bill themselves as being Kaspersky products but instead infect devices or simply fail to do much of anything once …
Shaun Nichols, 17 May 2014

Trustwave gobbles up Application Security, gorges itself on tech

Data security biz Trustwave has acquired fellow data security provider Application Security, a startup that specialises in automated database security scanning technologies. Financial terms of the deal, announced on Monday, were undisclosed. Privately-held Application Security develops security software for relational databases …
John Leyden, 12 Nov 2013
Fail and You

Oracle Database 12c's data redaction security smashed live on stage

Oracle’s much-ballyhooed data redaction feature in Database 12c is easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have heard. The redaction features in 12c are designed to automatically protect sensitive database material by either totally obscuring column data or partially masking it – …
Iain Thomson, 08 Aug 2014
Brute force

Leak of '5 MEELLLION Gmail passwords' creates security flap

Plain-text passwords and account names linked to five million Gmail accounts have been leaked onto several Russian forums. Security experts had already confirmed the data seemed legit, albeit approximately three years old, before Google put up its blog post on the subject. The leak, to a variety of forums, not all of which are …
John Leyden, 11 Sep 2014

AOL confirms security breach from spam attack

AOL has issued a warning to users that their personal information has been stolen by attackers, a week after the security of its servers was questioned. The net giant on Monday said that the same hackers behind last week's spam deluge were able to infiltrate its servers and lift information including email addresses, contact …
Shaun Nichols, 28 Apr 2014
Kaspersky Lab logo

Kaspersky's Security for Virtualization pushed to XenServer and HyperV

Kaspersky is extending its Security for Virtualuzation Light Agent security tool to the Citrix XenServer and Microsoft HyperV platforms. The company said that the Light Agent tool will launch on April 22 with XenServer and HyperV support as well as new options for VMware's vSphere hypervisor. The company will continue to …
Shaun Nichols, 15 Apr 2014
Screaming kid

Secondhand Point-o-Sale terminal was horrific security midden

Second hand point-of-sale systems sold through eBay are likely to contain all sorts of sensitive information, according to the work of a security researcher at HP. HP sleuth Matt Oh bought an Aloha point-of-sale terminal on eBay for $200. This type of terminal is widely used in cash registers within the hospitality industry. …
John Leyden, 21 Jul 2014

Cisco kicks off $300k Internet of Things security competition

Cisco has announced prizes of up to $US75,000 to get help finding ways to secure the burgeoning Internet of Things. Anyone who watches the procession of SCADA vulnerabilities, the exposures discoverable through the Shodan search engine, or the recent bugs popping up in cars, routers, home automation and (maybe) smart appliances …
Angry woman on mobile

Cheapo telcos fined for their cheapo security: Financial records on 305,000 people spilled

American watchdog the FCC is fining a pair of US mobile operators for an astonishing lack of security in handling customer information. The commission said that TerraCom Wireless and YourTel Wireless improperly stored information on 305,000 customers and will have to pay a joint fine of $10m split between the two firms as a …
Shaun Nichols, 25 Oct 2014

Emoticons blast three security holes in Pidgin :-(

Cisco researchers have reported a trio of vulnerabilities in popular instant messaging client Pidgin that allow for denial of service by way of emoticon abuse and remote arbitrary file creation. Researchers Yves Younan and Richard Johnson say the flaws have since been quietly patched, but rated a maximum CVSS score of 6.4 but …
Darren Pauli, 10 Nov 2014

Google slurps sound-powered security upstart SlickLogin

Google has bought five-month-old security startup SlickLogin, which specialises in sound-based authentication technology. Financial terms of the deal were kept secret. The Israel-based company, which was founded by three ex-Israeli-military security bods in 2013, announced that it had been scooped up by Google in a statement on …
Kelly Fiveash, 17 Feb 2014