Security > More stories

Iranian CLEAVER hackers may DRAIN energy and defence firms, warn Feds

Iranian hackers may be sniffing out education, defence and energy targets as part of a well-planned operation, the US Federal Bureau of Investigation has reportedly warned. A secret FBI document dubbed "Flash, seen by Reuters, offered advice to businesses on how to foil any such attacks. It comes after Cylance researchers …
Kelly Fiveash, 14 Dec 2014
Container meltdown

Batten down the patches: New vuln found in Docker container tech

More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software. The Docker 1.3.2 update, which was released in November to address critical bugs that could be exploited by an …
Neil McAllister, 12 Dec 2014

Sony Pictures hit by 'fightback on filesharers' DDoS claims – report

Sony Pictures is alleged to have conducted a retaliatory DDoS attack against websites currently holding its leaked information for public download, according to a media report. The unconfirmed strike-back follows the two weeks of relentless attacks on Sony networks, punctuated by extortion demands, as well as the theft and …
John Leyden, 12 Dec 2014
Rebuilt Bombe Bletchley Park, photo copyrighted mubsta.com

GCHQ releases teen-friendly code-busting app

British surveillance agency GCHQ has launched its first app today in the hopes of encouraging 14- to 16-year-olds to get interested in cryptography. "Cryptoy" was developed by STEM (science, technology, engineering and maths) students on an industrial year placement at GCHQ and was a hit at the Cheltenham Science Festival. GCHQ …
Lindsay Dodgson, 12 Dec 2014

Hackable intercom lets you SPY on fellow apartment-dwellers

Kiwicon Kiwi hacker Caleb "alhazred" Anderson has popped a video intercom device that could have allowed him to spy on the 700 apartments in his building. The GrandStream GXV3175 intercom unit has been patched after Anderson - who by day serves as Context Information Security's lead consultant - began the attack while "inspired" by a …
Darren Pauli, 12 Dec 2014
Bang by Guian Bolisay

VMware exiting 2014 with a bang and a security whimper

The productive bits of 2014 may be ebbing away fast, but VMware's not slowing down: the company's shoved a few notables out the door in recent days. The most urgent is a fix for a bug in the on-premises version of the mobile device management suite AirWatch. As Virtzilla 'fesses up, “These issues may allow a user that manages an …
Simon Sharwood, 12 Dec 2014
Snort 3 logo

Cisco to release flying pig – Snort 3.0

Cisco's going to release a flying pig. The porcine in question is Snort 3.0, a new version of Sourcefire's well-regarded intrusion protection system. Snort's mascot is a pig and Sourcefire has, over the years, had a lot of fun with toy pigs and calendars picturing its pig in provocative poses. That silliness is, happily, …
Simon Sharwood, 12 Dec 2014

Craft bazaar Etsy's security plan is candy to get devs talking

Kiwicon podcast Etsy's security chieftain Rich Smith has told the hacker faithful to secure their organisations by buttering-up devs with beer and candy. Speaking at the KiwiCon event in Wellington, New Zealand, the guardian of the popular hipster bazaar and co-founder of Iceland consultancy Syndis offered tips from running the fast-spaced …
Darren Pauli, 12 Dec 2014
Facepalm by Ron Mander

Microsoft pulls a patch and offers PHANTOM FIX for the mess

Another Patch Tuesday, another mess for Microsoft, which has pulled update 3004394, aka “December 2014 update for Windows Root Certificate Program in Windows”. Redmond says the patch “is causing additional problem on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the …
Simon Sharwood, 12 Dec 2014
bug on keyboard

FreeBSD developers VANQUISH Demon bug

Developers have quashed a potentially nasty security bug in FreeBSD. Security researchers at Norse discovered that a programming error creating a buffer overflow in the stdio (standard I/O) library's __sflush( ) function. The bug created a possible mechanism to inject hostile code into vulnerable systems running the open source …
John Leyden, 11 Dec 2014

Elderly zombie Asprox botnet STILL mauling biz bods, says survey

The Asprox botnet was responsible for about 80 per cent of all attack sessions recorded during October 2014, impacting nearly 2,000 different organisations. These figures, from a new report by Palo Alto Networks, provide evidence that the Asprox (AKA Kuluoz) malware family is continuing to plague businesses, despite multiple …
John Leyden, 11 Dec 2014
GCHQ Benhall doughnut aerial view

GCHQ, police to team up to hunt down child abuse on the darknet

GCHQ is to team up with the UK's National Crime Agency to target paedophiles sharing child abuse images on the "dark net". The as-yet-unnamed unit will focus on developing technology capable of scouring the underbelly of the internet for child abuse-related chat and image exchanges. It will also focus on the most prolific …
John Leyden, 11 Dec 2014

Charge Anywhere? More like Hacked Everywhere: Mobe cash biz admits 5-year security breach

Mobile payments biz Charge Anywhere has admitted a hacker may have been snooping on its systems for FIVE years. While probing an internal malware infection, Charge Anywhere discovered someone has been able to eavesdrop on its network traffic since November 2009. That investigation revealed all sorts of sensitive data had been …
John Leyden, 11 Dec 2014
balaclava_thief_burglar

Crims at vendors could crock kit says ENISA

Before you sign on the dotted line to acquire some kit or sign up a service provider, ask the vendor you're considering if any of their staff have criminal records. That's just one of many, many, suggestions made by the European Union Agency for Network and Information Security (ENISA), in a new guide to Secure ICT Procurement …
Simon Sharwood, 11 Dec 2014

Your data: Stolen through PIXELS

Kiwicon Data loss prevention has been dealt a coup de grace with the development of a client-less system that can suck corporate data through monitors. The research, to be detailed in a proof of concept at the Kiwicon hackerfest in Wellington on Friday December 12, bypasses all detection methods, its developer says. The attack requires …
Darren Pauli, 11 Dec 2014
philips triplewriter spd7000 blu-ray recorder

Blu-ray region locks popped by hardware hacker

Scores of Blu-ray players from the biggest names in the industry contain security vulnerabilities that allow region coding to be unlocked, hardware hacker Matthew Garrett says. The players use an antiquated digital rights management scheme to control the distribution of movies meaning some films could only be played in the …
Darren Pauli, 11 Dec 2014

Merry Xmas, Neohapsis, here's your Cisco-dollars

Cisco is beefing up its security intelligence-gathering, snapping up privately-held advisory Neohapsis for an undisclosed sum. Neohapsis is a Chicago-based security advisory and bug archivist outfit, and will boost Cisco's risk management, compliance, cloud, application, mobile and infrastructure security offerings, according to …

Microsoft lets YOU kill POODLE in Protected Mode sites

Microsoft has granted sysadmins the ability to kill exposure to rabid POODLE websites under SSL 3.0 for Internet Explorer Protected Mode sites. The Christmas gift will be switched on by default from February next year as Redmond moves to euthanised the Padding Oracle on Downgrade Legacy Encryption attack across its web presences …
Darren Pauli, 11 Dec 2014
iPhone forensics beaten image

Security holes in iOS? We've heard of them, says Apple (as it fixes vanishing ringtones)

Apple has released an update for iOS that addresses some rather annoying performance bugs, but leaves major security holes open. The company said the iOS 8.1.2 over-the-air update will address performance issues with the Apple mobile platform, including a flaw which had caused ringtones to disappear from handhelds. "This …
Shaun Nichols, 10 Dec 2014

'Critical' security bugs dating back to 1987 found in X Window

X.org, which develops the open-source X Window System for Linux and other Unix-y desktops, has warned security flaws have been discovered in the code – and some of them have been hanging around for 27 years. The bugs can be exploited by applications to crash the window system, or run malicious code as the root user if the X …
Iain Thomson, 10 Dec 2014
Uber - living the dream

Taxi app Uber plugs 'privacy-threatening' web security flaw

Updated A potentially nasty XSS vulnerability discovered on the website of controversial ride-sharing service Uber has been fixed, according to the security researcher who reported the bug. The cross-site scripting vulnerability put visitors at risk of being compromised via theft of cookies, personal details, authentication credentials …
John Leyden, 10 Dec 2014
Pair of pliers with other tools

Belden buys Tripwire for $710m: Will keep network burglars out of Internet of Things things

Signal transmission firm Belden has agreed to buy security tools firm Tripwire for $710m in cash. The deal, announced Monday, is expected to close in the first quarter of 2015, subject to customary closing conditions. Tripwire's security and compliance products, such as Tripwire Enterprise, will be further developed and …
John Leyden, 10 Dec 2014

Chinese responsible for 85 per cent of website scams

Chinese internet users are behind 85 per cent of fake websites, according to a semi-annual report [PDF] from the Anti-Phishing Working Group (APWG). Of the 22,679 malicious domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were …
Kieren McCarthy, 10 Dec 2014
Orange Credit Card

.Bank hires Symantec to check credentials

The launch of new .bank domain names is one step closer with the announcement [PDF] that Symantec has been chosen to act as the credentials verifier for the top-level domain. Dot-bank domains represent a new type of domain name - one restricted to a very specific group of people in order to enhance security. Banks and financial …
Kieren McCarthy, 10 Dec 2014

Dirtbags dressed up malware as legit app using Sony crypto-certs

Miscreants were quick to capitalize on the theft of Sony's cryptographic certificates – used to sign a software nasty to make it look legit. An analysis of malware dubbed Destover was published by Kaspersky Lab on Tuesday, and shows the code was signed using a private certificate belonging to Sony to evade malware filters. …
Iain Thomson, 10 Dec 2014

RIP P4ssw0rd? IT giants agree to share patents to rollout two-factor auth

Passwords, right? If they're too weak, they can be worse than useless – but making them too strong means people do dumb things like writing them down or forget them and piss off IT workers with frequent reset requests. Now the FIDO Alliance – whose members include Microsoft, Google, ARM, PayPal, and Lenovo – has published the …
Iain Thomson, 10 Dec 2014

It's nearly 2015 – and your Windows PC can still be owned by a Visual Basic script

Microsoft has patched 25 software vulnerabilities – including bugs that allow hackers to hijack PCs via Internet Explorer, Word and Excel files, and Visual Basic scripts. Everyone is urged to install the fixes, as well as a batch of updates from Adobe: a flaw in the Flash plugin is already being exploited by hackers to take over …
Shaun Nichols, 9 Dec 2014
Blackphone

Coming to Blackphone: An app store loaded with privacy tools

Blackphone handsets can download and install a major software update today – ahead of the opening of an online store for privacy-focused apps for the mobes. Blackphone It's cute, it's black, it saves you from attack, it's the Blackphone The Blackphone runs its own hardened version of Android, dubbed PrivatOS, on custom …
Iain Thomson, 9 Dec 2014
Edward Snowden

Review mass-snoop laws regularly, says RIPA daddy Blunkett

Every Parliament must conduct a "complete review" of the controversial Regulation Investigatory Powers Act 2000 (RIPA) as a safeguard against the expansion of its use, former home secretary David Blunkett said today. As home secretary in 2001 Blunkett was responsible for introducing the complex rules surrounding the use of the …
Kat Hall, 9 Dec 2014

Put me through to Buffy's room, please. Sony hackers leak stars' numbers, travel aliases

The group which claimed responsibility for hacking Sony Pictures has leaked the phone numbers and travel aliases of Hollywood stars including Brad Pitt, Daniel Craig and Natalie Portman, according to a recent report. This latest development will likely pile extra pressure on the comprehensively pwned entertainment giant. …
John Leyden, 9 Dec 2014
App Engine Logo

Google App Engine has THIRTY flaws, says researcher

Adam Gowdiak of Polish security consultancy and research outfit Security Explorations claims to have found myriad security holes in Google's App Engine. Explained here, Gowdiak says he and his colleagues “discovered multiple security issues in Google App Engine that allow for a complete Java VM security sandbox escape.” Here's …
Darren Pauli, 9 Dec 2014

AliExpress patches account mass harvesting flaw

Global threads bazaar AliExpress, an offshoot of global tat bazaar AliBaba, has patched a URL flaw that allowed attackers to harvest users' personal details including names, shipping addresses and phone numbers. The insecure direct object reference vulnerability reported by an unnamed researcher affected 7.7 million logged-in …
Darren Pauli, 9 Dec 2014

Zombie POODLE wanders in, cocks leg on TLS

Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …
NSA TTTC logo

GSMA denies latest Snowden leak

Mobile carrier club the GSMA has hit back against the latest round of Snowden claims, saying it can't find any evidence of “active targeting or compromise of GSMA systems, communications and stored documentation”. When The Intercept first ran its accusation – that the NSA and GCHQ successfully broke into the traffic of more than …

Linux software nasty slithers out of online watering holes

A malware instance built on the shoulders of a trojan so powerful it lead to the creation of the US Cyber Command has been updated with Linux-popping capabilities, Kaspersky researcher Kurt Baumgartner says. The Turla advanced malware is thought to have employed its top notch stealth capabilities to remain hidden on some systems …
Darren Pauli, 9 Dec 2014
The launch explosion, captured in a Sea Launch video

Identity thieves slurp Sony Pictures staff info – as CEO sends 'don't sue me, bro' memo

Criminals are picking through gigabytes of leaked personal information from Sony Pictures' ransacked computer network, triggering identity theft alerts, staff have told The Register. We're told crooks are, as is inevitable these days, mining files dumped online by hackers, who comprehensively compromised the movie studio's …
Iain Thomson, 8 Dec 2014
Brute force

Home Wi-Fi security's just as good as '90s PC security! Wait, what?

UK home Wi-Fi security is as bad as PC security was in the 1990s, according to a new study. Security software firm Avast found that more than half of all routers are poorly protected by default or common, easily hacked password/ID combinations. Easily hacked password combinations such as admin/admin or admin/password, or even …
John Leyden, 8 Dec 2014
Photo from stage looking out on crowd

Manchester festival marketers fined £70,000 over spam ‘mum’ texts

Organisers of a Manchester music festival have been fined £70,000 after sending unsolicited marketing text messages. The digital junk was sent to 70,000 people who had bought tickets for the 2014 edition of Manchester's annual festival, the Parklife Weekender, and appeared on the recipients’ mobes to have been sent by "Mum". …
John Leyden, 8 Dec 2014

Orion hacker sends stowaway into SPAAAAACE

One of the 1.3 million names sent into space aboard NASA's Orion test capsule was a stowaway, uploaded to NASA's database by a security researcher who found and exploited a vulnerability. The name 'Payload1 Payload2' was one of three uploaded to the NASA Orion database that collected names to be later transferred to a chip …
Darren Pauli, 8 Dec 2014

Mighty Blighty filter tilter causes communications chaos

The Great Firewall of Britain, aka the content filters operated by telcos Vodafone and Three, has blocked access to German hacker party the Chaos Communications Congress (CCC) ahead of its annual confab. The block, presumably made in error, prevented punters from accessing the website, buying tickets and perusing the conference …
Darren Pauli, 8 Dec 2014

Kaspersky exposes SONY-CRIPPLING malware DETAILS

Kaspersky bod Kurt Baumgartner has released more details on the Sony-plundering malware and links it to attacks on Saudi Aramco and South Korea. Research conducted in the wake of the epic Sony breach last month had connected those behind the attack known as the Guardians of Peace (GOP) with the 2012 hacking of Saudi Aramco by ' …
Darren Pauli, 8 Dec 2014
Kim Jong-un

NORKS: We didn't hack Sony. Whoever did was RIGHTEOUS, though

North Korea has dismissed claims it was behind the crippling hack suffered by struggling film studio Sony Pictures. But a spokesman at the country's National Defence Commission said today that the attack on the company's computer system "might be a righteous deed of the supporters and sympathisers" with Norkers as they attempt …
Kelly Fiveash, 7 Dec 2014