Articles about Security Risks

Confused/annoyed looking man looks irritated during outage. Photo via Shutterstock

Since you love Flash so much, Adobe now has TWO versions for you

Adobe says a buggy installer is the reason some people have two different versions of Flash Player on their Windows PCs. The software house told The Register it had to create an additional build of the browser plugin specifically for Microsoft's Internet Explorer after the version made for other browsers – such as Mozilla's …
Shaun Nichols, 15 Jul 2016

EU uncorks €1.8bn in cybersecurity investment. Thirsty, UK?

The EU Commission has launched a public-private partnership on cybersecurity that is expected to trigger €1.8bn ($2bn) of investment by 2020. The EU is promising to invest €450m ($502m) in a bid to spur innovation in cybersecurity with the remainder coming from the private sector. Some security commentators reckon the Brexit …
John Leyden, 05 Jul 2016
Pic: Shutterstock

Tor torpedoed! Tesco Bank app won't run with privacy tool installed

UK supermarket giant Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed, it emerged this weekend. Mainframe database admin Marcus Davage revealed the Tesco banking app tells users they must remove the Tor Project's anonymizing Android software to access the supermarket's money services. …
Shaun Nichols, 18 Jun 2016
Oprah

Linux devs open up universal Ubuntu Snap packages to other distros

Analysis The Snap application container system released in April with Ubuntu 16.04 is now going to be opened up to many other Linux distros after a surprise discovery by developers. In a press call to journalists, Canonical founder Mark Shuttleworth (accompanied at times by a rather excitable Labrador) explained that shortly after the …
Iain Thomson, 14 Jun 2016

Apple launches HomeKit app – but where are the products?

Apple has finally launched its internet-of-things (IoT) smart-home service with a new mobile app called "Home." The only problem? A distinct lack of products to work with. Speaking on stage at Apple's Worldwide Developers Conference in San Francisco earlier today, senior VP of software engineering Craig Federighi outlined a …
Kieren McCarthy, 13 Jun 2016

Hackers so far ahead of defenders it's not even a game

Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches. The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still …
John Leyden, 26 Apr 2016

Cutting edge security: Expensive kit won't save you

We all want to protect our customer and employee data, but as the threat landscape changes and the publicly disclosed data breaches get increasingly larger, our approach may need to change. What constitutes "state of the art" information security in 2016? It’s tempting to create a listicle of 10 shiny new security tools that …
Danny Bradbury, 13 Apr 2016

Apple tells iPhone court 'the Founders would be appalled' by Feds

Apple's latest response to US Department of Justice (DoJ) demands that it alter its operating system to allow access to a terrorist's iPhone using the 1789 All Writs Act is typically blunt. "According to the government, short of kidnapping or breaking an express law, the courts can order private parties to do virtually …
Iain Thomson, 16 Mar 2016
Robot eye opens. Image via Shutterstock

Don't freak out, but your primary storage has become 'aware'

Comment The term data-aware storage is fairly new to our industry and its definition, as often happens, is not very clear. Of course vendors have their own view of this term. In my personal opinion, data-aware storage means being able to analyse infrastructure and workloads as well as storing the data involved, giving a complete …

Dragons and butterflies: The chaos of other people's clouds

Cloud computing was meant to solve the reliability problem, but in practice, it still has a long way to go. Is that an endemic problem with the complexity of cloud computing, or a problem with the way people use it? Cloud infrastructures are meant to be resilient, because they tend to use lots of cheap servers and scale out. …
Danny Bradbury, 05 Feb 2016

OpenSSL fixes bug, gets dissed by German gov: That's so random ... not

Days after fixing a rare but dangerous key recovery attack, the developers of OpenSSL have been dealt a fresh blow with a poor review of the technology from a German government agency. An extensive security study and code review on OpenSSL by Sirrix AG (and sponsored by the BSI (Bundesamt für Sicherheit in der …
John Leyden, 04 Feb 2016
virus_1_648

EU agency warns of cyber risks from using big data tools

Businesses that use software and systems to collect, analyse and use data are increasingly vulnerable to cyber risks, according to a new report. The European Network and Information Security Agency (ENISA) urged companies to embrace "the security-by-default principle" to better safeguard data and systems against privacy and …
OUT-LAW.COM, 01 Feb 2016
Ask Jeeves in gunsights

Oracle to kill off Java browser plugins with JDK 9

Oracle has announced that it will kill off Java browser plugins once JDK 9 debuts. Big Red's post on the matter says it's sniffed the anti-plugin winds and agrees with the idea that plugins are so 90s and have no place in the modern browser, so “developers of applications that rely on the Java browser plugin need to consider …
Simon Sharwood, 28 Jan 2016
Switch

Outage outrage: Banks need clear targets for improving IT systems

Banks should be set "clear objectives and targets" on improving the performance of their IT systems in light of a number of recent major outages, the chairman of a prominent UK parliamentary committee has said. In letters to Andrew Bailey, chief executive of the Prudential Regulation Authority (PRA), and Tracey McDermott, …
OUT-LAW.COM, 27 Jan 2016
android_toys_648

Got a Nexus? Google has five critical Android security fixes for you

Google has fixed 12 security bugs in its Android source code – including five that would allow miscreants to achieve remote code execution or root access. The Mountain View giant said its January Android security update includes patches for five CVE-listed security vulnerabilities it rates as "critical" risks, two considered " …
Shaun Nichols, 04 Jan 2016
London Overground and a Southeastern train near Bermondsey. Pic: Matt Buck

Irked train hackers talk derailment flaws, drop SCADA password list

32c3 A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action. description Sergey Gordeychik (right), Gleb Gritsai, and Aleksandr Timorin (rear). Industrial control specialist …
Darren Pauli, 04 Jan 2016
More flaws found in Java

Oracle ordered to admit on its website that it lost the plot on Java security

Oracle bungled the security updates of its Java SE software so badly it must publish a groveling letter prominently on its website for the next two years. After gobbling up Java along with Sun in 2010, Oracle's software updates for Java SE would only affect the latest version installed. If you had multiple versions of Java SE …
Chris Williams, 22 Dec 2015
Bookshelf in the British Library basement

Oxford Uni opens infosec ivory tower in Melbourne

The State of Victoria is cementing its place as Australia's security hub with the launch of an Oxford University national infosec risk centre in Melbourne. The Global Cyber Security Capacity Centre will perform "audits of national cyber security risks and capabilities" to help Australia plan investments and strategies. It …
Darren Pauli, 15 Dec 2015

Oz Govt calls for more talk on telco network security laws

Australia's Attorney-General's Department has again called for industry consultation on its sweeping security overhaul of the telecommunications sector that would force telcos provide the Federal Government with confidential networks plans. A draft for the Telecommunications and Other Legislation Amendment Bill was released 26 …
Darren Pauli, 27 Nov 2015

RAF web survey asks for bank details via unencrypted email

An online survey of the Royal Air Force’s website aimed at journalists has invited would-be participants to send their banking details using unencrypted email to third-party organisers. Independent experts told El Reg that the badly thought-out advice left media pros exposed to a heightened risk of fraud. The survey invite …
John Leyden, 26 Nov 2015
Oil Pump Jack by https://www.flickr.com/photos/paul_lowry/  cc 2.0 attribution

Mixing ERP and production systems: Oil industry at risk, say infosec bods

Black Hat Europe Hackers might be able to bridge the gap between supposedly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless …
John Leyden, 18 Nov 2015
Collection of antique keys

Faux Disk Encryption: Mobile phone crypto not a magic bullet

Black Hat Europe Full-disk encryption on mobile devices is nowhere near as secure as commonly believed and Android offers less granular control than iOS, according to security researchers from NCC Group. Daniel Mayer and Drew Suarez debunked some commonly held but inaccurate beliefs about smartphone crypto as well as presenting a comparison …
John Leyden, 16 Nov 2015

By 2019, vendors will have sucked out your ID along with your cash 5 billion times

Research house Juniper has stared into its crystal ball and discovered that the number of biometrically authenticated payment transactions will reach nearly five billion by 2019, up from a mere 130 million currently. Apple Pay and Samsung are the only providers that currently use fingerprint scanners for authentication, with …
Kat Hall, 27 Oct 2015

Internet Architecture Board defends users' rights to mod Wi-Fi kit

The Internet Architecture Board (IAB) has gently suggested to the United States' Federal Communications Commission (FCC) that locking WiFi kit to manufacturers' firmware forever might not be a good idea. The IAB's submission to the FCC, made last week, is in response to the FCC suggesting a crack-down on open-source firmware …

FBI boss: No encryption backdoor law (but give us backdoors anyway)

President Obama will not push for laws requiring tech companies to cripple their encryption systems with backdoors, FBI boss James Comey has said. But – and you knew a but was coming – the United States government will continue to lean heavily on American giants to plant backdoors in their systems. Speaking at a Homeland …
Chris Williams, 09 Oct 2015

Amazon blocks lab-only key-stealing neighbour attack

Update Amazon has patched a vulnerability that could have let users to steal the RSA keys of other co-located customers. The complex attack - getting to CPU code cache isn't trivial - would, if successful, give an attacker a whole 2048-bit key used in other Elastic Compute Cloud instances. Worcester Polytechnic Institute researchers …
Darren Pauli, 02 Oct 2015
Dunce's cap graffiti by https://www.flickr.com/photos/lord-jim/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

AT&T accused of Wi-Fi interception, ad injection

AT&T has been accused of grabbing user traffic from its Wi-Fi hotspots for ad injection. The news comes from Stanford lawyer and computer scientist Jonathan Mayer, whose previous work includes uncovering a browser history bug in 2011, and the use of Verizon zombie cookies by third parties. In Webpolicy, Mayer writes that …

Oh no ZigBee, as another front opens on home networking insecurity

Black Hat 2015 Security researchers have exposed new flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices. Implementations of ZigBee in home networks requires that an insecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take …
John Leyden, 06 Aug 2015

Are users undermining your mobile security efforts?

Mobile security is becoming more of a headache as the crossover between business and personal activity continues to increase, and employees generally expect more freedom. Research suggests, however, that you can only push technology-based protection so far before users rebel and try to find ways around it. To manage risks …
Dale Vile, 03 Aug 2015
car hacking

Jeep breach: Scared? You should be, it could be you next

Other vehicles may be at risk from hacking following the Jeep Cherokee incident, according to one of the two researchers who pioneered the spectacular auto exploit. Renowned car security researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee over a mobile network and found a way to control critical …
John Leyden, 24 Jul 2015

Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …
John Leyden, 23 Jul 2015
Android icon desktop toys

Fragmented Android development creating greater security risks

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned. The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in …
John Leyden, 20 Jul 2015

Windows Server 2003 support deadline is TOMORROW – but thousands don't care

Tomorrow marks the end of support for Windows Server 2003 but plenty of customers, of all shapes and sizes, weighed up the cost versus the risk factors and will continue to make do with their dusty old boxes. From 14 July, Microsoft will not issue any further security patches or firmware upgrades, and buying custom support is …
Paul Kunert, 13 Jul 2015
Facepalm

Samsung caught disabling Windows Update to run its own bloatware

Updated Samsung computer users could find themselves wide open to attack because the software the Korean giant bundles on its systems disables Windows Update. The problem was spotted by independent security researcher Patrick Barker after a Windows user complained that the Windows Update function, which automatically downloads patches …
Iain Thomson, 24 Jun 2015

What scares you most about ‘the cloud’?

Tech Panel Cloud computing has gone mainstream. While a hard-core of naysayers still exists, the black-and-white negative viewpoint is a lot less common today than it was a year or two ago. Our research at Freeform Dynamics, including via The Register, says it’s now less about ‘whether’ to use cloud, and more a question of where to adopt …
Dale Vile, 28 May 2015
Screenshot of Chrome's "Aw, snap!" error message

Speaking in Tech: Scrubbing Chrome with Google's Brillo

Podcast speaking_in_tech Greg Knieriemen podcast enterprise Hosted by Greg Knieriemen, Ed Saipetch and Sarah Vela. This week Ed, Greg and Sarah get together to digest Google's IoT operating system (is there a hidden agenda, and will it be open source?), creepy teddy bears (Ted made real, maybe, or just an Android phone with some …
Team Register, 27 May 2015
Cloud security

Cloud Security Temperature Check

Survey Results It is increasingly common for users and business groups to drive their own adoption of cloud services. But even where IT is involved, as organisations ramp up their use of cloud, activity is often uncoordinated. Pulling the threads together across service silos to manage risks effectively can be a challenge. The right strategy …
Dale Vile, 20 May 2015
Abbott and Costello dressed as policemen

HORDES OF CLING-ONS menace UK.gov IT estate as special WinXP support ends

UK government departments still running Windows XP are now doing so entirely on their own. A framework support agreement between the Crown and Microsoft guaranteeing the release of special security patches for PCs still on Windows XP has ended after one year. That deal - revealed here - expired on April 14 and it’s been decided …
Gavin Clarke, 08 May 2015
Cheat by https://www.flickr.com/photos/sohelparvezhaque/ CC 2.0 attribution https://creativecommons.org/licenses/by/2.0/

CHEATER! Test labs out AV vendor for using rival's engine

Chinese anti-virus vendor Qihoo 360 has been caught cheating on benchmarking tests by submitting versions running A-V engines from rival Bitdefender. The company has been reprimanded by established testing outfits Virus Bulletin, Av-Comparatives, and AV-Test which withdrew its 2015 certifications. In a joint statement [PDF] the …
Darren Pauli, 01 May 2015
Derailed train wagon. Pic: New York MTA

UK rail signals could be hacked to cause crashes, claims prof

The rollout of a next generation train signalling system across the UK could leave the network at greater risk of hack attacks, a university professor has claimed. Prof David Stupples warns that plans to replace the existing (aging) signalling system with the new European Rail Traffic Management System (ERTMS) could open up the …
John Leyden, 24 Apr 2015
Robert Baden-Powell, Chief Scout. Pic: Matt Brown, Flickr

Scouts' downed Compass database won't be back 'til autumn

The Scout Association will not have its troubled Compass database — which holds the details of 450,000 young people and volunteer adults — restored to operation until early autumn. The Compass database was taken down in January following revelations by El Reg that members had raised serious concerns over the security of the …
Kat Hall, 16 Apr 2015

Android gets biometric voice unlocking

Google is deploying what it calls Trusted Voice to allow Android users to unlock phones using their voice, according to reports. The feature is filed under the Choc Factory's Smart Unlock feature which sports easier unlock mechanisms like Trusted devices, places, and faces. Once activated, it would allow punters to unlock their …
Darren Pauli, 14 Apr 2015

Wi-Fi hotspots can put iPhones into ETERNAL super slow-mo

A vulnerability fixed in this week's Apple patch run can easily brick iPhones, researchers say. The flaw (CVE-2015-1118) dubbed "Phantom" allows attackers who can trick users into changing their iDevice proxy settings to tap into multiple use-after-free vulnerabilities. Doing so causes constant ubiquitous app crashing …
Darren Pauli, 10 Apr 2015
Interim logo for Digital Transformation Office

Turnbull's digital transformation office DOES SOMETHING

Earlier today, your correspondent bemoaned the fact that Australia's nascent Digital Transformation Office (DTO) was announced ten weeks ago but appears to have done little in that time other than advertise for a leader. Fast-forward to around 15:00 Australian time and the agency has revealed that it has, indeed, done something …
Simon Sharwood, 07 Apr 2015
David Cameron, Prime Minister, meets Ren Zhengfei, founder and CEO of Huawei Technologies, in Downing Street, 11th September, 2012.

Huawei networking kit gets the green light from Blighty's spooks

A board put together to double-check the work of a British government team set up to investigate Huawei has given the Chinese giant a clean bill of health. The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board was established in early 2014 on the recommendation of the UK National Security Adviser. The board is …
Simon Rockman, 30 Mar 2015

Australian online voting system may have FREAK bug

UPDATE Next weekend, voters in the Australian State of New South Wales go to the polls to elect a new government. Some have already cast their votes online, with a system that may be running the FREAK bug. So say Vanessa Teague and J. Alex Halderman, respectively a research fellow in the Department of Computing and Information …
Darren Pauli, 22 Mar 2015
2001: A Space Odyssey

GCHQ: Ensure biz security by STOPPING everyone from TALKING

GCHQ is advising organisations to consider stripping staff of smartphones and memory sticks in order to make themselves less exposed to cyber attacks. The advice from the intelligence agency's CESG (Communications-Electronics Security Group) information assurance arm comes against a backdrop of increased concerns about the theft …
John Leyden, 19 Mar 2015
Privacy image

WANTED: A plan to DESTROY metadata, not just retain it

Australia's data retention proposal suggests the nation's telcos and ISPs need to store data for two years. But agencies accessing the data can seemingly keep it forever and are not, to date, required to securely store or destroy data they retrieve from the nation's putative data trove of personal information, miscalled " …

A billion things are already on the IoT: Verizon

Verizon reckons the Internet of Things is no longer a “nascent” market, reporting that there are already more than a billion devices out there running business-to-business IoT operations. In its “state of the market” report (free with registration) covering the IoT in 2015, the company predicts that the B2B IoT space will pass …
Hacker image

Psst, hackers. Just go for the known vulnerabilities

Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old. Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the …
John Leyden, 23 Feb 2015