Security > More stories

Data_image_via_Shutterstock

EU policy makers consider FRAND licensing of machine-generated data

EU policy makers are considering introducing a new licensing regime for anonymised "machine-generated data". It is one of the options the European Commission said could be introduced to facilitate greater access to the ever-growing volumes of data generated by "computer processes, applications or services, or by sensors …
OUT-LAW.COM, 13 Jan 2017
Volodymyr Krasyuk http://www.shutterstock.com/gallery-286606p1.html

WordPress plugs eight holes in latest release

WordPress has patched a series of vulnerabilities in its content management system shuttering bugs affecting more than 10 million users. The release of version 4.7.1 closes eight vulnerabilities including cross-site scripting, cross-site request forgery, and other remotely-acessible attack vectors. "This is a security release …
Team Register, 13 Jan 2017
Duck Hunt. Credit: Nintendo.

MongoDB hackers now sacking ElasticSearch

It is open season on open services as net scum migrate from sacking MongoDB databases to insecure ElasticSearch instances. Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says. So far more than 360 instances have had data copied and …
Darren Pauli, 13 Jan 2017
Trump, photo by uplift the world via Shutterstock

Trump's cyber-guru Giuliani runs ancient 'easily hackable website'

US president-elect Donald Trump's freshly minted cyber-tsar Rudy Giuliani runs a website with a content management system years out of date and potentially utterly hackable. Former New York City mayor and Donald loyalist Giuliani was today unveiled by Trump's transition team as the future president's cybersecurity adviser – …
Darren Pauli, 13 Jan 2017
Quick fix - worker running while carrying a wrench

ISC squishes BIND packet-of-death bugs

BIND administrators, get patching: there are three irritating flaws you need to splat. The denial-of-service vulnerabilities in question are CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444. Common to all three is that they're exploitable denial-of-service bugs that predominantly affect BIND-based DNS servers running in …
Giuliani

Donald Trump will take cybersecurity advice from, um, Rudy Giuliani

The transition team for US president-elect Donald Trump has announced that former New York City mayor Rudy Giuliani will advise the incoming administration on how to secure America's digital infrastructure. We're told that the Donald may hold meetings with senior private industry executives with experience in online security. …
Iain Thomson, 12 Jan 2017

Thanks, Obama: NSA to stream raw intelligence into FBI, DEA and pals

A last-minute rule change signed off by the outgoing Obama administration has made it much easier for the NSA to share raw surveillance data with more than a dozen government agencies. The changes [PDF] are tacked onto executive order 12333, which was enacted by then-President Ronald Reagan to allow intelligence agencies to …
Iain Thomson, 12 Jan 2017

Shadow Brokers spew Windows hack tools after exploit auction flop

Security exploit peddlers Shadow Brokers announced their retirement on Thursday – and released 58 tools for hacking Windows PCs for free by way of a parting gift. The shady group is essentially giving up, and shoving malicious code – most of which is detected by Kaspersky and a few other antivirus makers – into the hands of as …
John Leyden, 12 Jan 2017

iPhone hacking biz Cellebrite hacked

The Israeli company that found fame when it was fingered as a potential source of hacking software used by the FBI to crack open an iPhone has itself been hacked. In a statement on its website, Cellebrite today admitted that an "external web server" containing the company's license management system had been accessed by an …
Kieren McCarthy, 12 Jan 2017
Karmera secured Pixel phone photo2 by Kaymera

Security hardened, pah! Expert doubts Kaymera's mighty Google's Pixel

The arrival of a security hardened version of Google’s supposed "iPhone killer" Pixel phone from Kaymera has received a sceptical reception from one expert. Kaymera Secured Pixel is outfitted with Kaymera’s own hardened version of the Android operating system and its security architecture. This architecture is made up of four …
John Leyden, 12 Jan 2017

Brother-and-sister duo arrested over hacking campaign targeting Italy's bigwigs

A hacking operation featuring the EyePyramid trojan successfully compromised the systems of numerous high-profile Italian targets, including two former prime ministers, say Italian police. High-profile targets were targeted by a spear-phishing campaign that served a remote-access trojan codenamed "EyePyramid" as a malicious …
John Leyden, 12 Jan 2017
Hippie peace, image via Shutterstock

Peace-sign selfie fools menaced by fingerprint-harvesting tech

Researchers from Japan's National Institute of Informatics say people's fingerprints could be extracted from photographs using yet-to-be built technology. The eggheads warn that fingerprints can be copied from photographs snapped up to three metres from targets. Prints would need to be captured clearly in strong lighting, …
Darren Pauli, 12 Jan 2017

Crims shut off Ukraine power in wide-ranging anniversary hacks

Hackers of unknown origin cut power supplies in Ukraine for a second time in 12 months as part of wide-ranging attacks that hit the country in December. The attacks were revealed at the S4x17 conference in Miami in which Honeywell security researcher Marina Krotofil offered reporters some detail into the exploitation that …
Darren Pauli, 12 Jan 2017

Google Cloud unlocks key achievement

Google on Wednesday introduced its Cloud Key Management Service in beta to help Google Cloud Platform customers deal with their encryption keys. "Cloud KMS offers a cloud-based root of trust that you can monitor and audit," said product manager Maya Kaczorowski in a blog post. "As an alternative to custom-built or ad-hoc key …
Thomas Claburn, 12 Jan 2017
Silhouette of spy discerning password from code uses a command on graphic user interface

Digital video recorder installers master password list 'leaked' – claims

Xiongmai, the vendor behind many Mirai-vulnerable DVRs, has earned the consternation of security watchers once again. The vendor's 2017 list of superuser passwords for certain DVRs – designed only for CCTV installers to access customer installations – appears to have leaked online. "If the creds are what we think they are, …
John Leyden, 11 Jan 2017
Digital feet, photo via Shutterstock

GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug

GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug. El Reg learnt of the cock-up from readers affected by the issue, who forwarded notification emails (extract below). Due to a software bug, the recently issued certificate for your domain was issued without …
John Leyden, 11 Jan 2017

GCHQ feeds first crop of infosec startups to Cyber Accelerator

The first infosec startups selected for the GCHQ Cyber Accelerator have been unveiled. The accelerator, which officially launches in Cheltenham later today, is part of a UK government-funded Cyber Innovation Centre. The tech crèche is designed to nurture information security startups to the point where they can compete on the …
John Leyden, 11 Jan 2017
Hornet_Carrier_takeoff

US Navy runs into snags with aircraft carrier's electric plane-slingshot

The US Navy is having difficulties with its latest aircraft carrier's Electromagnetic Aircraft Launching System (EMALS) – the same system which the UK mooted fitting to its new Queen Elizabeth-class carriers. The US Department of Operational Test and Evaluation (DOTE) revealed yesterday, in its end-of-year report [PDF] for …
Gareth Corfield, 11 Jan 2017

Oh Britain. Worried your routers will be hacked, but won't touch the admin settings

Recent Mirai-style attacks against home broadband routers have had some effect but the majority of users have failed to act. A survey of 2,000 broadband users found the majority (53 per cent) have not changed the Wi-Fi password and other default settings, potentially opening themselves up to attack. The poll by ISP comparison …
John Leyden, 11 Jan 2017

How to secure MongoDB – because it isn't by default and thousands of DBs are being hacked

The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized. As of Sunday, security researcher and Microsoft developer Niall Merrigan identified more than 27,000 MongoDB databases seized by ransomware. By Tuesday afternoon Pacific Time, an …
Thomas Claburn, 11 Jan 2017
Raining money

British Hadoop security startup expands to New York to land big investor

British security startup Panaseer is expanding to New York from London as it plans to land a large American investor in 2017. Panaseer will remain headquartered in London, where it develops its proprietary Security Data Lake to bring "the application of data science, advanced security intelligence and data engineering" to its …
Privacy

New Windows 10 privacy controls: Just a little snooping – or the max

Microsoft has built an online dashboard of privacy controls in an attempt to soothe lingering anger over Windows 10 and its ability to phone home people's private information. The new web portal lists some of the personal data that is collected from PCs and devices and sent back to Redmond, and allows people to somewhat limit …
Shaun Nichols, 11 Jan 2017
Venomous snake

Sundown exploit kit weaves Edge hack hole

Authors of the Sundown exploit kit have integrated a since patched and limited Microsoft Edge vulnerability from a security firm's public proof-of-concept. The addition of the twin bugs (CVE-2016-7200 and CVE-2016-7201) means unpactched users of one of the world's most unpopular web browsers are likely to be targeted by a wide …
Darren Pauli, 11 Jan 2017
casino_security_648

Ansible patches 'own the farm' vulnerability

Ansible sysadmins, make with the patch-fingers because the project's just gone public with a high-severity bug. CVE-2016-9587 is a peach: “a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)”, Ansible lead …
band_aid_patching_648

EMC slings patch at remote hack nonce-nse

Remote attackers can hose EMC hybrid flash storage thanks to cryptographic weaknesses. The patched vulnerability (CVE-2016-0917) affects EMC's VNX1, VNX2 and VNXe systems, including the end-of-life Celerra which will not receive a fix. EMC researchers wrote in a security notice that remote attackers could access the SMB …
Team Register, 11 Jan 2017
Facepalm, photo via Shutterstock

Juniper warns: Borked upgrade opens root on firewalls

Juniper is warning users of its SRX firewalls that a borked upgrade leaves a root-level account open to the world. Any users who issued the "request system software" command with the "partition" option are affected by the bug. In its first advisory for 2017, the Gin Palace explains the failed upgrade “can leave the system in …
Shock

It's now 2017, and your Windows PC can still be pwned by a Word file

Microsoft has begun its 2017 with the release of four updates to address security holes in Windows and Office, while Adobe has posted fixes for more than three dozen vulnerabilities in Flash and Reader. Microsoft's January patch load includes: MS17-001, a fix for the Edge browser to address a flaw that would let a malicious …
Shaun Nichols, 10 Jan 2017
Cookie Monster

EU tosses Europe's cookies... popups

The EU’s most famous contribution to the internet era could be snuffed out soon, and few will mourn it. As expected, Brussels will no longer mandate that websites receive the user’s consent for placing cookies on their device. Scrapping the consent form is one of the options floated in the European Commission new public …
Andrew Orlowski, 10 Jan 2017
Patrick McGoohan as The Prisoner in "Fall Out"

UK Parliament suddenly remembers it wants to bone up cyber security *cough* Russia *cough*

The UK parliament launched an inquiry into cyber-security on Tuesday. The investigation by MPs and peers follows weeks after the UK government committed to spending £1.9bn between 2016 and 2021 as part of an update to the UK’s National Cyber Security Strategy. Protecting critical national infrastructure organisations ( …
John Leyden, 10 Jan 2017
Mad Saudi

Because I'm bad, I'm bad, Shamoon: PC wiper tried to shut down Saudi snapshot defences

Security researchers have identified a second wave of Shamoon 2 PC-wiping attacks against a further target in Saudi Arabia last November. The new research shows hackers upping the ante and developing more sophisticated, multi-stage attacks. The original Shamoon attack hobbled the network of Saudi Aramco in 2012. Similar …
John Leyden, 10 Jan 2017
Standup comedian faces the crowd. Photo by shutterstock

What do you call a firm that leaves customer financials unencrypted on a hard drive? RSA

A UK insurance business has been fined £150,000 for its lax security practices after a hard drive containing customers' unencrypted information was stolen. The hard drive disappeared from the offices of Royal & Sun Alliance insurance (ironically it prefers the abbreviation RSA) back in 2015. It contained 59,592 customers' …
DOor to a bank vault. Photo by Shutterstock

Rethink on bank cybersecurity rules might only follow major bank breach, says expert

It might take a major bank to fail as a result of a cyber attack for meaningful changes in cybersecurity practices, regulation and governance in the UK banking market to be implemented, a leading industry commentator has said. In an interview with Out-Law.com, professor Richard Benham, chairman of the National Cyber Management …
OUT-LAW.COM, 10 Jan 2017

Like stealing data from a kid: LA school pays web scum US$28,000 ransom

A Los Angeles school has made a whopping US$28,000 ransomware payment after hackers raided its network. Attackers had encrypted enough to ruin computer services, email, and messaging at the Los Angeles Community College District. The school paid the bitcoin ransom after learning it had no other alternatives by way of backups …
Darren Pauli, 10 Jan 2017

Autocomplete a novel phishing hole for Chrome, Safari crims

Phishers have a new tool in their arsenal with the discovery that web browsers Chrome and Safari along with LastPass will autofill hidden registration form fields. Finnish web developer Viljami Kuosmanen discovered the flaws affecting the world's most popular browser, along with Apple's offering. The attack vector is manifest …
Darren Pauli, 10 Jan 2017

St Jude patching Merlin@home heart kit

Months after steadfastly denying its heart implants have serious security vulnerabilities, St Jude – now owned by Abbott Laboratories – has issued a patch. The company's press release is here. Last year, a pentester and an investor pulled a now-notorious double act on St Jude, shorting its stock before publishing the …
Image by LuckyN http://www.shutterstock.com/gallery-1795121p1.html

Two years on, thousands of unpatched Magento shops still being carded

More than 6,000 online stores running eBay's Magento platform have been hacked with credit cards stolen under a campaign that could span almost two years, Germany's Federal Office for Information Security says. Attackers are injecting carding malware on unpatched Magento shops, which steals payment information during …
Darren Pauli, 10 Jan 2017
Glock 19 photo via Shutterstock

Prison librarian swaps books for bars after dark-web gun buy caper

A prison librarian in England was today sentenced to more than seven years in prison for trying to buy a handgun and bullets online and for drug offences. Dwain Osborne, of Avenue Road, Penge, in London, was nabbed in October of 2015 after he sought to procure a Glock 19 – a staple of police and security forces worldwide – and …
Gavin Clarke, 9 Jan 2017
A group of hipster teens excludes the onlooker. Photo by shutterstock

Top cop: Strap Wi-Fi jammers to teen web crims as punishment

+Comment The president of top cops’ trade union the Police Superintendents’ Association (PSA) has suggested that teens convicted of computer-based crimes should be fitted with ankle-mounted Wi-Fi jammers. Speaking to the Daily Telegraph over the weekend, Chief Superintendent Gavin Thomas said: “If you have got a 16-year-old who has …
android logo

Google caps punch-yourself-in-the-face malicious charger hack

Google has capped a dangerous but somewhat obscure boot mode vulnerability that allowed infected PCs and chargers to put top end Nexus phones into denial of service states. IBM reported the flaw (CVE-2016-8467) which allows infected computers and malicious power chargers to compromise Nexus 6 and 6p phones. Google badged the …
Darren Pauli, 9 Jan 2017

VNC server library gets security fix

An important fix for libvncserver has landed in Debian and on the library's GitHub page. Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers. As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming …

MongoDB ransom attacks soar, body count hits 27,000 in hours

MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day. Criminals are accessing, copying and deleting data from unpatched or badly-configured databases. Administrators are being charged ransoms to have data returned. Initial …
Darren Pauli, 9 Jan 2017

Bank robber reveals identity – by using his debit card during crime

On January 3, Alvin Lee Neal received a 46-month prison sentence for robbing a Wells Fargo Bank in San Diego, California, and was ordered to pay back the $565 taken. Neal, a registered sex offender, acknowledged his role in the May 13, 2016 robbery in a plea agreement with the US Attorney's Office of Southern California. As …