Security > More stories

A burning dumpster

Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

Updated Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email? The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, …
Iain Thomson, 22 Sep 2016

DDoS attacks: For the hell of it or targeted – how do you see them off?

Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative. DDoS attacks can be massive, in some cases …
Danny Bradbury, 22 Sep 2016
image by Alexander_P http://www.shutterstock.com/gallery-493324p1.html

SWIFT warns of more 'sophisticated' attacks, readies anti-fraud tool

The chief information security officer for global money transfer network SWIFT says banks are still under attack from fraudsters hoping to cash in on identified security gaps to steal millions of dollars. Alain Desausoi, security head of the Society for Worldwide Interbank Financial Telecom made the comments at the Financial …
Darren Pauli, 22 Sep 2016

Google automates Apps OAuth token revocation

Google has refined the security controls available to enterprise Gmail users by automatically killing OAuth 2.0 tokens for Apps when users change passwords. The changes will land on October 5th and will not affect users unless they change their password. It is a watered down version of planned security changes offered in …
Team Register, 22 Sep 2016
Joey from the sitcom friends pokes his head around the door (invasively). Photo copyright NBC

Cisco snaps shut remote pwnage hole in Cloud Services Platform

Cisco has provided a patch to address a remote hijacking vulnerability in its Cloud Services Platform (CSP). Switchzilla said that all customers who run CSP 2100 software should install the 2.1.0 update to close a remote code execution flaw it considers to be a high security risk. Designed as an efficient way to manage …
Shaun Nichols, 21 Sep 2016
Police search

US cities promise to crack down on police surveillance tech

A handful of US cities are banding together in an effort to change the way police acquire and use surveillance technology. The cities in the group – including New York, Washington DC, Seattle, and Milwaukee – say they will introduce bills to place additional reporting and approval requirements for the surveillance tools their …
Shaun Nichols, 21 Sep 2016

Wow, RIP hackers ... It's Cyber-Lord Blunkett to the rescue for UK big biz

A high-profile project has been launched with the aim of strengthening UK enterprises' IT security. The Cyber Highway was launched in London on Tuesday by Lord David Blunkett. The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.” Corporations …
John Leyden, 21 Sep 2016
USB sticks used in letterbox drops

Victoria Police warn of malware-laden USB sticks in letterboxes

Police in the Australian State of Victoria have warned citizens not to trust un-marked USB sticks that appear in their letterboxes. The warning, issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.” “Upon …
Simon Sharwood, 21 Sep 2016
A grey beard

Greybeards beware: Hair dye for blokes outfit Just For Men served trojan

Malware writers have penetrated the website of hair-dye-for-greying-blokes outfit Just For Men, foisting a password-stealing trojan at visitors, Malwarebytes researcher Jerome Segura says. Attackers are using the RIG exploit kit, which recently dethroned Neutrino as the most popular of the off-the-shelf crime kits that make …
Team Register, 21 Sep 2016
Wi-Fi

BT's Wi-Fi Extender works great – at extending your password to hackers

BT is urging folks to patch the firmware in its Wi-Fi Extender following the discovery of multiple security flaws. Security researchers at Pen Test Partners discovered vulnerabilities with the consumer-grade kit, including cross-site scripting and the ability to change a password without knowing it. Pen Test Partners found it …
John Leyden, 21 Sep 2016
facebook_shock_648

10-second hijack hole could kill any Facebook profile

University student Arun S Kumar has scored US$16,000 (£12,312, A$21,200) for finding and reporting a Facebook vulnerability that led to account hijacking. The flaw in Facebook's Business Manager reported through BugCrowd late last month and since patched was a form of direct object reference vulnerability which bypassed normal …
Darren Pauli, 21 Sep 2016
Sweet32 logo

Citrix swats Sweet32 bug by just turning off old ciphers

Citrix has pushed back a little against the dangers posed to its users by the Sweet32 “birthday attack” against old ciphers. The attack, published in late August, is a birthday attack against 64-bit ciphers like Blowfish and Triple DES. That's prompted various vendors to get patching, but as Citrix explains in this blog post …

CloudFlare offers web encryption up the wazoo

CloudFlare is promising to bring about the encrypted internet by adopting the latest web security protocols and offering a solution to the horror of mixed content. Just over a week since Google warned it would start labeling HTTP websites as "not secure," CloudFlare promises to help the many, many website owners who have a mix …
Kieren McCarthy, 20 Sep 2016
Data breach

Mobile review website MoDaCo coughs to data breach

Smartphone news and reviews site MoDaCo has admitted to a data breach. MoDaCo founder, Paul O’Brien confirmed a security leak (first reported by haveibeenpawned), while playing down its significance. Email and IP addresses together with (hashed) passwords and usernames for up to 875,000 MoDaCo accounts were dumped online. …
John Leyden, 20 Sep 2016
Auctioneer with hammer

Going, going, done: Trio of prolific auction fraud fraudsters jailed

Three men have been jailed yesterday over a conspiracy to commit internet shopping fraud scam that involved taking payments for non-existent goods and services. Calin Serbenescu, 28, a former labourer, was sentenced to five years' imprisonment; Ionut Cotavian Anitescu, 26, unemployed, was sent down for three years; while Dorel …
John Leyden, 20 Sep 2016
Person using a card reader

Hackers claim they breached Aussie point-of-sale tech firm, try to sell 'customer DB'

Exclusive Hackers are claiming to have hacked Australian point-of-sale technology (PoS) company H&L Australia, and have been claiming to potential buyers that they had lifted its customer database. They were already offering it for sale for AU$22,000 ($16,580, £12,723) more than two months ago. If indeed they have hacked into H&L, …
Darren Pauli, 20 Sep 2016
image by JoeBakal http://www.shutterstock.com/gallery-832894p1.html

Online scammers speed up: Hit gold every 15 seconds

There were over one million fraud attempts in the UK in the first six months of 2016, or one every 15 seconds - more than 50 per cent higher than the same period of last year. Between January and June 2016 there were 1,007,094 fraud cases in the UK compared to 660,308 in the first six months of 2015. Each case represents a …
John Oates, 20 Sep 2016

Microsoft lets Beijing fondle its bits in new source code audit hub

Microsoft has opened a technology centre in China to reassure Beijing it does not have backdoors in its software. The so-called Transparency Centre is the third Redmond has opened to reassure governments that Microsoft's wares are secure. Redmond's trustworthy computing corporate veep Scott Charney says the centre will allow …
Darren Pauli, 20 Sep 2016

Brits: Can banks do biometric security? We'd trust them before the government

Brits have more faith in their banks than government agencies to roll out authentication technologies based on biometrics, according to a new survey from Visa. Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe (60 per cent), than they are …
John Leyden, 19 Sep 2016

Microsoft snubs alert over Exchange hole

Microsoft has downplayed the seriousness of an alleged Exchange auto-discovery vulnerability, saying that it sees no need to patch the reported security weakness. Redmond contends that its existing security advice covers the issue, a point disputed by flaw-finder Marco van Beek. Van Beek explains: “I recently discovered that …
John Leyden, 19 Sep 2016
Security guard watches footage from hundreds of camera. Photo by Shutterstock

Dark web drug sellers shutter location-tracking EXIF data from photos

Criminals have started to aggressively erase EXIF metadata from their photos to make it harder for authorities to locate them, Harvard University students Paul Lisker and Michael Rose find. Unbeknownst to most, digital cameras and smartphones that shoot in JPG or TIFF formats write information on where a photograph was taken, …
Darren Pauli, 19 Sep 2016

FBI overpaid $999,900 to crack San Bernardino iPhone 5c password

University of Cambridge senior research associate Sergei Skorobogatov has laid waste to United States Federal Bureau of Intelligence (FBI) assertions about iPhone security by demonstrating password bypassing using a $100 NAND mirroring rig. FBI director James Comey made the claim during the agency's bid to defeat the password …
Team Register, 19 Sep 2016

Mozilla will patch zero-day Firefox bug to fizzle man-in-the-middle diddle

Mozilla will patch a flaw in Firefox that can be exploited by well-resourced attackers to impersonate the browser's software update servers – and thus inject malicious code into victims' computers. This vulnerability can, for one thing, be exploited to unmask people using the Tor project's Firefox-based anonymizing web browser …
Darren Pauli, 18 Sep 2016

Let's Encrypt won its Comodo trademark battle – but now fan tools must rename

Popular Bash shell script LetsEncrypt.sh, which is used to manage free SSL/TLS certificates from the Let's Encrypt project, has renamed this week to avoid a trademark row. This comes in the wake of Let's Encrypt successfully fending off Comodo, which tried to cynically snatch "Let's Encrypt" for itself. LetsEncrypt.sh, …
Chris Williams, 18 Sep 2016
Man in helmet looks uncertain, holds up shield. Photo by Shutterstock

National Cyber Security Centre to shift UK to 'active' defence

The head of the UK’s new National Cyber Security Centre (NCSC) has detailed plans to move the UK to "active cyber-defence", to better protect government networks and improve the UK’s overall security. The strategy update by NCSC chief exec Ciaran Martin comes just weeks before the new centre is due to open next month and days …
John Leyden, 16 Sep 2016

Pramworld admits mailing list breach

UK baby care supplier Pramworld has admitted that a breach of its systems was the reason customers were sent spam emails on Friday. In a statement supplied to El Reg (below), Pramworld admitted its mailing list had been compromised while downplaying the problem and offering reassurance that payment information had not been …
John Leyden, 16 Sep 2016
Paul Winchell and dummy

You call it 'hacking.' I call it 'investigation'

Something for the Weekend, Sir? Here's a photo of what I had for lunch! Amazing!!! No it isn't amazing. It's your lunch. You gotta see the new 4k TV I bought today! Thanks for giving me a fascinating, if cursive, inventory of your consumer durables. Took Jonesy out for his walk and he chased a rabbit. Nice to have your pet's name. Could be useful. 28 …
Alistair Dabbs, 16 Sep 2016
Sad, disappointed-looking baby. Photo by Shutterstock

Ransomware scum infect Comic Relief server: Internal systems taken down

Comic Relief’s internal systems are down for the third day running after a ransomware attack on one of the charity’s servers on Wednesday. Founded in 1985 by comedy scriptwriters, the charity behind the UK’s Red Nose Day telethon took down all of its internal systems in the wake of the attack. An email sent on Wednesday to the …

Researcher says Patch Tuesday fix should have been made earlier

Security researcher Kafeine says one of this week's Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks. The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits. The …
Darren Pauli, 16 Sep 2016
Image composite: Microsoft and StudioLondon http://www.shutterstock.com/gallery-893620p1.html

Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack

Security researcher Doron Naim has cooked an attack that abuses Windows 10's Safe Mode to help hackers steal logins. The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in …
Darren Pauli, 16 Sep 2016

Cisco drops patch for nasty WebEx remote code execution hole

Cisco is warning admins to apply a patch for a critical WebEx vulnerability, one of nine fixed this week. The remote code execution flaw (CVE-2016-1482) could allow attackers to execute arbitrary commands on WebEx servers. Admins can only apply the patch and do not have an option to deploy work-around mitigations. "A …
Darren Pauli, 16 Sep 2016
Picture by Orlok / Shutterstock

Encryption backdoors? It's an ongoing dialogue, say anti-terror bods

CloudFlare Internet Summit It's not every day you walk into a tech conference in San Francisco to find a propaganda video for the Islamic State playing on the screens. Two counterterrorism experts from Washington, DC, were opening the CloudFlare Internet Summit by talking about the use of social media by terrorist groups and what could be done to …
Kieren McCarthy, 15 Sep 2016

It's OK for the FBI's fake hacks to hack suspects' PCs, says DoJ watchdog

No rules were broken when an FBI agent posed as a journalist to infect a criminal suspect's PC with spyware, says a US watchdog. And the Feds can do it again, provided they get the undercover operation signed off by their higher-ups. Way back in June 2007, 15-year-old Charles Jenkins used a Gmail account to send a bomb threat …
Chris Williams, 15 Sep 2016

Trump website server config snafu left interns' CVs exposed

Misconfiguration of Donald Trump's campaign website left the personal information of interns – and perhaps more – accessible to casual snooping. Staffers of the real estate mogul-turned-US presidential candidate “bungled the settings on their Amazon S3 server”, according to MacKeeper security researcher Chris Vickery, the …
John Leyden, 15 Sep 2016
couch_potato_remote_control_surfer

DDoSers do it more now, but they do it less fiercely*

The number of distributed denial of service attacks has doubled over the last 12 months. Akamai reports that Q2 saw a 129 per cent year-on-year increase in total DDoS attacks. During the second quarter, Akamai mitigated a total of 4,919 attacks, one of which (against a media company) reached an eye-watering 363n Gbps. Although …
John Leyden, 15 Sep 2016
Super-villain Dr Evil puts finger to lip in scheming manner, asks for one million dollars. Pic: New Line Cinema

Hacker and chums jailed over gold bullion hack, track 'n' grab scam

A UK hacker who broke into the computer systems to get details of gold bullion deliveries so they could be intercepted and stolen has been jailed for five years and four months. London resident Adam Penny, 25, was jailed this week after previously pleading guilty to conspiracy to steal and a computer misuse offence. Penny …
John Leyden, 15 Sep 2016
Image by Walther S http://www.shutterstock.com/gallery-955900p1.html

Gutted: 6.6M cleartext creds, dox, breached in ClixSense site hack

Cleartext passwords, real names and user names, email addresses plus and IP addresses for 2.2 million users of cash-for-surveys site ClixSense have been dumped online, with a further alleged 4.4 million up for sale. The records also include the pay outs the site has handed each breached user, Australian researcher Troy Hunt …
Darren Pauli, 15 Sep 2016

Double-dipping malware steals iOS creds and roots Android

A newly-outed trojan is exploiting iOS and Android devices, ripping iCloud credentials abusing the trusted link between phones and PCs, says Palo Alto security researcher Claud Xiao. The attack appears to have failed in most circumstances, thanks to iOS' sandboxing security controls, hardened modern Android operating systems, …
Darren Pauli, 15 Sep 2016

Google GPS grab felt like a feature, was actually a bug

Google has confirmed that its Play digital tat bazaar made a whole lot of unexpected attempts to locate users even after they opted-out of location services. But Google says the behaviour was a bug, not a feature. "Amanda", a Google Play community manager, posted the following in the forum that kicked off the furore: We …

35,000 ARRIS cable modems at risk from firmware dumper bot

Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues. ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 …
Darren Pauli, 15 Sep 2016

French hackers selling hidden .22 calibre pen guns on secret forums

French hackers are selling concealed weapons including so-called pen guns that fire .22 Long Rifle bullets on highly secretive crime forums, threat researcher Cedric Pernet says. Videos of the home-made pen guns scattered around the internet show the weapons in working use. The guns are being sold for €150 (US$169, £127, A$ …
Darren Pauli, 15 Sep 2016
Privacy image

65 expert speakers reveal secure identity management solutions at Biometrics 2016

Promo Need to know to more about the role of biometrics, such as fingerprint, DNA, facial and iris recognition, in identity management? Sign up now for Biometrics 2016, three days of expert insight and discussion in the heart of London from 18 to 20 October 2016. You can get more information and sign up at Biometrics 2016 but here …
David Gordon, 14 Sep 2016