Articles about Security

FAIL scrabble by https://www.flickr.com/photos/jeffdjevdet/ CC 2.0 attribution generic

McAfee Security Manager lets anybody bypass managers' security

McAfee's Enterprise Security Manager (ESM) needs patching, as smartly as you can manage, due to an administrator-level authentication bypass. The advisory here says “a specially crafted username” can get past the Security Information & Event Management logins without authentication, and without a password, “if the ESM is …
Unlocked padlock

Security industry too busy improving security to do security right

The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for mandatory migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS). Earlier this year, the council decided the time to make the final cutover was June 2016. Now the council says it's just too hard for …
Simon Sharwood, 21 Dec 2015

Join The Register at Enigma, USENIX’s new security conference

Promo "It's time for the security community to take a step back and get a fresh perspective on threat assessment and attacks.” So say the organisers of Enigma, a new conference designed for IT security professionals in industry and research. That works for The Register, which is covering the three-day conference held in San …
David Gordon, 12 Jan 2016
Couple holding hands. Pic: Marina Aguiar

Israeli security firms Check Point, CyberArk in talks – report

Israeli security firm Check Point is reportedly in preliminary talks with local rival CyberArk about a possible acquisition/merger. Rumours of the courtship surfaced in Hebrew-language Israeli financial newspaper TheMarker on Wednesday, and lead to twitterings in some quarters that we were about to witness the birth of some …
John Leyden, 13 Jan 2016
Computer with dead bug, Stacy Brunner CC2 license

Cisco splats Nexus, APIC, and security manager bugs

Grab the Cisco-branded fly-swatter, it's time for your weekly bug-splat. Top of the list are four high-severity bugs, in Nexus 9000 switches, security managers, and application policy controllers. The Nexus 9000 ACI Mode Switch has an issue in its ICMP implementation, remotely exploitable to cause a denial-of-service. An …
Car crash

Euro-security group ENISA notices cars are insecure, plots fixfest

ENISA, the European Union Agency for Network and Information Security, has noticed that computers, cars, and communications can result in insecurity, and is calling for participants in a new CarSEC expert group. With a focus on “Smart Cars and Intelligent Road Systems”, ENISA says it will keep the call for experts open for …

US publishes guide to hardening your arteries, security-wise, that is

The US Food and Drug Administration has issued draft guidance requiring medical device manufacturers to up their security game and report major incidents to the agency. Organisations building pacemakers, defibrillators, insulin pumps, and other hackable medical systems will need to be able to identify; protect; detect; respond …
Darren Pauli, 19 Jan 2016
Xen project hypervisor logo

New Xen bug uses security feature to destroy security

Xen has revealed details of bug CVE-2015-6654, which it warned about a couple of weeks back. The good news is that this one is rather less nasty than the string of guest/host escapes it's reported lately thanks largely to leaks in QEMU. Another nice piece of news is that this time around the problem's also only on ARM- …
Simon Sharwood, 01 Sep 2015
Sunset by https://www.flickr.com/photos/pslee999/ cc 2.0 https://creativecommons.org/licenses/by/2.0/ attribution generic

Intel Security sunsets SaaS email security products

Intel Security is decommissioning bits of its software-as-a-service armoury. The newly-re-named outfit (We have nothing – NOTHING! to do with that oddball John McAfee) has emailed customers of its McAfee SaaS Endpoint Products and SaaS Email Protection and Archiving to let them know that as of January 11th next year it will …
Simon Sharwood, 23 Oct 2015
band_aid_648

Packet floods can bork Borg's security kit

Cisco has announced a patch for a high-severity bug in the AsyncOS that runs a bunch of its security appliances. The operating system underneath its Email Security Appliance (ESA), Content Security Management Appliance (SMA) and Web Security Appliance (WSA) can be hosed by sending them crafted TCP packets at a high enough rate …

BlackBerry makes Android security patch promises

BlackBerry is touting security and privacy as the new Priv's key differentiators. But wait, isn't it an Android? And isn't that like putting an arsonist in charge of the Fire Brigade? The firm's first Android phone, which begins shipping tomorrow, is a genuine rarity: a phone targeted at enterprises and more technically …
Andrew Orlowski, 05 Nov 2015

Thales buys Vormetric for $400m in major security biz push

Thales has put up $440m to acquire Vormetric, which develops data protection technology for physical, virtual and cloud infrastructures. The transaction, announced late Monday, is subject to customary closing conditions but is expected be finalised during the first quarter of 2016. The deal will allow Thales to acquire …
John Leyden, 20 Oct 2015

Cisco gobbles OpenDNS, sorts out cloud security portfolio

Cisco will buy privately held net security firm OpenDNS for $635m in cash, to make good its cloud security portfolio and boost the networking giant's "security everywhere" approach. Announcing the deal today, the leviathan is offering the bundle of cash alongside assumed equity awards, plus retention based incentives for …

Open Web Application Security Project issues new secure coding bible

The Open Web Application Security Project (OWASP) has published the third version of its developer security bible trimming the fat and offering peer-reviewed and tested means of building more secure apps. The Application Security Verification Standard Project (ASVS) is the carrot to OWASP's much-cited stick that is the Top 10 …
Darren Pauli, 12 Jan 2016

Alibaba security FAIL as brute-force bonaza yields 21 MILLION logins

Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised likely thanks to stolen credentials reused on breached third party sites. TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales. Reuters reports China's Ministry of Public …
Darren Pauli, 08 Feb 2016
trolley_shopping_648

Cisco swallows security firm Lancope for $452m

Cisco has announced its intention to acquire netsec firm Lancope for more than $452m in cash. The company aims to supplement its security offerings with those of Lancope's StealthWatch suite, which protects networks with live monitoring and behaviour analytics of network data flows. Cisco is doubling down on its netsec …
QuickTime X Player

Your jingle to take into the weekend: QuickTime security fixes to apply

Apple has posted an update to its QuickTime media plugin, addressing multiple remote code execution flaws for Windows 7 and Windows Vista users, The Cupertino giant said that the QuickTime 7.7.9 patch will address a total of nine CVE-listed memory corruption vulnerabilities in QuickTime. Each could be targeted by loading a …
Shaun Nichols, 09 Jan 2016

Biz jabber tool Slack realises it needs a Chief Security Officer

Slack has just hired a Chief Security Officer, with former Palantir CISO Geoff Belknap coming in to shore up the security of a cloud-based operation holding an awful lot of sensitive business communications. Slack, the team collaboration tool masquerading as an unadventurous man's IRC, has seen huge adoption across the …
Samsung Galaxy Alpha

Samsung sued over 'lackadaisical' Android security updates

Samsung is being sued by a Dutch consumer group for its alleged lackadaisical approach to security updates for its Android phones. The Dutch Consumers’ Association (DCA) claims that an incredible 82 per cent of Samsung phones do not have the latest version of Android installed. It blames the Korean giant for failing to prod …
Kieren McCarthy, 21 Jan 2016

NBN opens 400 tech jobs in looming second Melbourne security shop

nbn, the company building Australia's national broadband network (NBN), will hire 400 tech bods over the next two years to staff its upcoming Cyber Security Operations Centre in Melbourne's south. The will operate around the clock with infosec bods policing the network. It will operate in addition to the Network and Services …
Darren Pauli, 07 Dec 2015
Prince philip Thames barrier old control room photo Environment Agency

WirelessHART industrial control kit is riddled with security holes

Widely used WirelessHART-type industrial control products are wide open to exploitation, a security tools firm has warned. Applied Risk, an industrial control systems (ICS) security specialist, has discovered several weaknesses in various WirelessHART products. The vulnerabilities create the potential for hackers of various …
John Leyden, 01 Feb 2016

Cloud Security Alliance says infosec wonks would pay $1m ransoms

Some companies will pay hackers up to US$1 million in ransoms to claw back stolen data according to a poll by the Cloud Security Alliance. The survey garnered 209 respondents of which half were in IT security and a third from tech with most hailing from companies with up to 1000 staff and a quarter from large enterprises with …
Team Register, 14 Jan 2016
shutterstock_197375177-doctor

UK NHS-backed health apps 'riddled with security flaws'

As if striking junior doctors weren’t enough, the UK's NHS also has technology worries, according to a study by app security firm Arxan. All of the NHS-approved apps Arxan audited lacked binary protection against code tampering, and most also lacked adequate protection in the transport layer. Flaws also emerged in FDA-approved …
John Leyden, 13 Jan 2016

UK/China cyber security deal: National security attacks still OK, it seems

Contrary to several trigger-happy reports, China's president Xi Jinping has not signed a formal agreement with the UK prime minister David Cameron on cyber security. Rather, the nations have issued a joint statement – which UK government spokespersons did not want to tell The Register was legally binding – which mentions an …

CES tech show adds new security checks after fears of violence

The annual Consumer Electronics Show in Las Vegas is renowned for being crowded – 170,000 people attended last year – but new security restrictions will mean that the traditional lines to get in are going to be exponentially worse. "Due to recent global tragedies, we have new security procedures for CES. This includes bag …
Iain Thomson, 18 Dec 2015

German Govt mulls security standards for SOHOpeless routers

The German Government is mulling an assessment of the security chops of consumer routers in a bid to lift current abysmal standards and help inform buyers. Berlin's Ministry of the Interior IT security office says it wants to test routers for support of security features like WPS, encryption, and brute force protection of …
Darren Pauli, 21 Oct 2015

Google ninjas go public with security holes in Malwarebytes antivirus

Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers. The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software …
John Leyden, 02 Feb 2016

Hot-patching method melts security hole in Apple's App Store

A system that app developers use to bypass Apple’s time-consuming procedures in order to issue “hot-patching” to App Store apps has inadvertently spawned a serious security risk for iOS app users. FireEye researchers warn that JSPatch – an open-source technology that’s used by app developers as an alternative to Apple’s …
John Leyden, 27 Jan 2016

Former USAF chief lands HP Security tour in Oz

Promo HP will be deploying its security big guns over Australia next month, in the shape of its upcoming Security Innovation Tour featuring former US Air Force head of Cyber Security Earl Matthews. The half day events in Sydney and Melbourne will give you an overview of the current threat landscape, and help you harden your systems …
David Gordon, 19 Aug 2015

Akamai buys out Scottish web security firm Bloxx

Scottish websec firm Bloxx has been acquired by American giants Akamai in a cash deal, for an undisclosed amount, to shore up its cloud security services. Bloxx, established in 1999, had 55 employees spread between its facilities in West Lothian and Massachusetts. There has been no comment regarding restructuring at the …
band_aid_648

Cisco applies plaster to email, Web security appliances

Cisco email and Web security appliance customers have some patching to do to paper over newly revealed denial-of-service and other cracks. The Borg has issued two advisories for Web security appliances, one covering a DoS bug and the other addressing a problem with DNS resolution. In the DNS issue, a remote attacker can hose …

China makes internet shut-downs official with new security law

China is able to shut off internet access during major 'social security incidents' and has granted its Cyberspace Administration agency wider decision making powers under a draft law published this month. The draft also appears to require critical infrastructure organisations including foreign entities to store "important" …
Darren Pauli, 13 Jul 2015

Intel Security hires ex-Cisco and Avaya man to run global channels

Intel Security - the company formerly known as McAfee - has hired ex-Avaya global channel overlord Richard Steranka to run the rule over its worldwide partner network. The exec will take control of the security firm’s disties, resellers, managed service providers, alliances and embedded OEM chums - and will have his work cut …
Paul Kunert, 24 Aug 2015

Oz Govt calls for more talk on telco network security laws

Australia's Attorney-General's Department has again called for industry consultation on its sweeping security overhaul of the telecommunications sector that would force telcos provide the Federal Government with confidential networks plans. A draft for the Telecommunications and Other Legislation Amendment Bill was released 26 …
Darren Pauli, 27 Nov 2015
Mobile banking, image via Shutterstock

iOS banking apps security still not good enough, says researcher

The security of mobile banking apps has improved over the last two years but there’s still scope for improvement. Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there’s been any improvement. Although security has increased over the two years, many …
John Leyden, 18 Dec 2015
Closeup of new US secret service security training 'ware. Credit: DHS

Who's running dozens of top-secret unpatched databases? The Dept of Homeland Security

The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated "secret" and even "top secret," according to an audit. An inspection [PDF] of the department's IT infrastructure found huge security gaps, including the fact that 136 systems had expired "authorities to operate" – meaning …
Kieren McCarthy, 20 Nov 2015
Lock security

Check Point snaps up mobile security outfit Lacoon

Check Point is buying Lacoon Mobile Security, in a deal that expands the security software firm beyond its core firewall and IDS market while pushing it further into mobile. Terms of the deal, announced Thursday, were undisclosed. Lacoon develops security apps for both iOS and Android, as well as marketing real-time mobile …
John Leyden, 02 Apr 2015

Is security outfit Norse Corp dead or just temporarily TITSUP?

Security startup Norse Corp has gone ominously dark. The outfit, famous for picking scabs from FreeBSD and mesmerising users with a “live DDoS map”, isn't contactable on the Web right now. Early in January, The Register reported layoffs in the business, amounting to as much as half its staff at the time. Now, Brian Krebs …

Cisco takes Security Everywhere™ to throw blanket over shadow IT

Cisco wants you to know it has Security Everywhere™, but that it doesn't mean it is Gossamer Thin. Rather, the messaging from the Borg is that its newly-boosted security suites cover just about everything that needs to be securable. That it says includes the things you don't know you even own, or to use advertising lingo, …
Darren Pauli, 04 Nov 2015
Department of Homeland Security

Brit-educated bloke takes Dept of Homeland Security's infosec reins

The US Department of Homeland Security (DHS) has appointed Andy Ozment, currently the Assistant Secretary of the Office of Cybersecurity and Communications – the DHS's main processing center for threat information sharing – as leader of its cybersecurity centre. Ozment will remain in his current assistant role, while assuming …
Evil Android

OEMs still the Achilles heel of Android security, say boffins

Good, but not good enough: that's the verdict of a bunch of researchers who checked out the security model that Google's applied to Android since the Lollipop 5.0 release. In this Arxiv paper, Elena Reshetova and her collaborators from Finland's Aalto University (with support from Intel) look over the post-Lollipop era, in …
Broken piggy bank with coins surrounding it. Image via Shutterstock

NCC Group sowing the seeds of disruption in the cyber security industry

Competition It's 2015, the cyber attacks keep on coming, and the bad guys appear to be winning – some may argue this is because devastating data breaches are more newsworthy than businesses upping their security defences. We see a relentless battle between businesses trying to protect themselves and those with malicious intent attacking …
David Gordon, 20 Nov 2015
Microsoft monopoly

Microsoft in SaaS-y cloud data security slurp

Microsoft has acquired cloud security outfit Adallom. Adallom was founded in 2012 and follows the “R&D in Israel, sales in Silicon Valley” template for a range of data security products for clouds. The company's wares bring data loss prevention and reporting to cloud storage services, offering users the chance to see just who' …
Simon Sharwood, 09 Sep 2015
F-35

Raytheon: Ho hum, another day, another $1bn cyber-security contract with Uncle Sam

Defense contractor Raytheon said it will be providing IT security for more than 100 US government agencies in a deal valued at upwards of $1bn. Raytheon said the billion-dollar contract, reportedly set to run for five to seven years, will include development and support of cybersecurity protections for the Department of …
Shaun Nichols, 30 Sep 2015
BB-8 Droid Toy

Star Wars BB-8 toy in firmware update risk, say UK security bods

A Star Wars BB-8 internet of things toy comes with a vulnerability that leaves it open to malevolent influences of the Dark Side. The Sphero toy itself is very cute with some lovely functionality, with a slick mobile app. However, a preliminary assessment by UK security consultancy Pen Test Partners (PTP) has revealed a class …
John Leyden, 08 Jan 2016

IT security spending to hit $75.4bn in 2015 despite currency issues, says Gartner

Worldwide spending on information security will reach $75.4bn in 2015 – an increase of 4.7 per cent over 2014 – despite a currency-driven price hike causing some customers to delay purchases until next year. Government initiatives, increased legislation and high-profile data breaches are the hot topics shaping the latest …
John Leyden, 23 Sep 2015

Sexy sock puppets seduce security suckers

Phishers have been targeting security researchers with fake LinkedIn profiles built on re-purposed photos of models and company logos, according to F-Secure hacker Sean Sullivan (@5ean5ullivan). The threat-finding bod said that would-be recruiters, linked to a network of phoney cryptographers and security types, were …
Darren Pauli, 07 Sep 2015

MPs launch 'TalkTalk' inquiry over security of personal data online

Executives at TalkTalk, including CEO Dido Harding herself, may face a grilling from Members of Parliament over the shoddy security practices which led to the theft of than a million Britons' data from her company. This morning the Culture, Media and Sport Committee announced it had "launched an inquiry into cyber-security …
Wimpy Kid

Adrian Mole, Wimpy Kid are your new security mentors

Splunk has hurled the fourth edition of its Enterprise Security product out the door, and feels that the most important new feature is its diary, or as Splunk likes to call it the “Investigator's journal”. The result of usability studies, the journal offers a means to record all the actions taken when security teams spot …
Simon Sharwood, 29 Oct 2015

Data centre outfit Interxion admits to contact detail security breach

A security breach at European data centre firm Interxion has exposed the contact details of thousands of its customers, although no financial information is thought to be involved. Neither credit card details nor customer services were affected by last month’s security snafu, and only Interxion’s CRM system was affected, as …
John Leyden, 11 Jan 2016