Security > More stories

Google reveals bug Microsoft says is mere gnat

Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week. The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by …
Darren Pauli, 20 Jan 2015

Whisper keeping schtum over abuse of user data

Former editor of "anonymous" app Whisper, Neetzan Zimmerman, has left the company and joined Washington DC rag, The Hill. Zimmerman was at the center of a controversy late last year when it was revealed Whisper was tracking its users, even those that had specifically asked not to be followed, in order to provide news fodder to …
Kieren McCarthy, 20 Jan 2015

2014 in infosec: Spammers sneak small botnets under the wire, Java is dull

Cisco's annual report on the state of global cybersecurity claims spammers just won't die and are using new tactics to avoid detection by filters; malware programmers are abandoning exploiting Java; and there's a possible silver cloud in the Sony Pictures hacking storm. The networking giant saw malware-carrying spam up 250 per …
Iain Thomson, 20 Jan 2015
Traffic cones by Squire Morley. licensed under creative commons 2.0 https://creativecommons.org/licenses/by/2.0/

Video nasty: Two big bugs in VLC media player's core library

A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others. The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post. "VLC Media Player …
Darren Pauli, 20 Jan 2015

Oracle E-Business suite wide open to database attack

Clear some time in you diary and drink an extra coffee, sysadmins: a top hacker has warned that Oracle will tomorrow patch a horror bug that needs urgent attention. Datacom TSS hacker David Litchfield told The Reg he has reported to Oracle that versions of its E-Business suite contain a "major" misconfiguration flaw that allowed …
Darren Pauli, 20 Jan 2015

Possible Lizard Squad members claim hack of Oz travel insurer

Nearly 900,000 client records including names, addresses, and phone numbers have been stolen from travel insurer Aussie Travel Cover by a suspected member of the Lizard Squad hacking crew. The hacker released databases including those detailing customer policies and travel dates along with a list of partial credit card …
Darren Pauli, 20 Jan 2015

NSA: We're in YOUR BOTNET

The NSA quietly commandeered a botnet targeting US Defence agencies to attack other victims including Chinese and Vietnamese dissidents, Snowden documents reveal. The allegation is among the latest in a cache of revelations dropped by Der Spiegel that revealed more about the spy agency. The "Boxingrumble" botnet was detected …
Darren Pauli, 19 Jan 2015
Great Wall of China

Microsoft Outlook PENETRATED by Chinese 'man-in-the-middle'

Microsoft suffered a "man-in-the-middle" attack on its Outlook email service in China over the weekend, according to Greatfire.org. The assault on its mail systems apparently lasted around 24 hours before returning to normal. It came after Google's Gmail was blocked in the People's Republic late last year. Greatfire.org said …
Team Register, 19 Jan 2015

Nice SECURITY, 'Lizard Squad'. Your DDoS-for-hire service LEAKS

A DDoS-for-hire service purportedly set up by the Lizard Squad hacking crew exposes registered users' login credentials. The LizardStresser DDoS-on-demand service – a booter service powered by hacked home routers – is hopelessly insecure. Details of more than 14,000 prospective users - whose passwords and usernames were …
John Leyden, 19 Jan 2015
North Korean leader Kim Jong-un

Just WHY is the FBI so sure North Korea hacked Sony? NSA: *BLUSH*

+Comment For those still wondering why US President Barack Obama and the FBI have so confidently blamed North Korea for the Sony Pictures hack, it's apparently because the NSA compromised the secretive country's computer network years before – giving American intelligence a front-row seat for subsequent shenanigans. The New York Times …
John Leyden, 19 Jan 2015
Mozilla Firefox Fox sitting down

Firefox 35 stamps out critical bugs

Mozilla has crushed nine bugs, some rather dangerous, in the latest version of its flagship browser. The fixes include a patch for a critical sandbox escape (CVE-2014-8643) in the Gecko Media Plugin used for h.264 video playback affecting Windows machines (but not OS X or Linux). Another critical hole addressed a read-after- …
Darren Pauli, 19 Jan 2015
What Linus Torvalds thinks of NVIDIA

Buggy? Angry? LET IT ALL OUT says Linus Torvalds

Linux overlord Linus Torvalds has articulated views on security at Linux.conf.au, and seems to be closer to Google's way of thinking than Microsoft's. Torvalds, along with Debian luminary Bdale Garbee, Samba man Andrew Tridgell, and kernel coder Rusty Russell spent an hour answering conference attendees' questions last week. …
Simon Sharwood, 19 Jan 2015

AT LAST: Australia gets its very own malware

Australians are being targeted by a new variant of the Carberp malware under what appears to be renewed criminal interest in the antipodes. The modified trojan, Carberp.C, was spread through a spam operation masquerading as a payment invoice. Virus writers pushed the malware out a day after coding it, Symantec researcher …
Darren Pauli, 19 Jan 2015

Dongle bingle makes two MEELLION cars open to exploit

A bluetooth dongle used to track driver habits for insurance purposes has been hacked potentially allowing cars to be remotely hijacked, researcher Corey Thuen says. The attack targeted the SnapShot dongle offered by US company Progressive Insurance and used by two million American drivers which collected vehicle location and …
Darren Pauli, 19 Jan 2015

Siri? Are you seeing another man?

A group of computer scientists from Italy and Poland reckon they can use steganography to hide covert messages in users' voice commands to Siri. What's interesting about the work, described in this paper at Arxiv, is that it doesn't involve installing new software on the target device. Rather, iStegSiri would exist as a man-in- …

Verizon sprints to crush FiOS account exposure hole

Up to five million user accounts, including email inboxes and private messages of Verizon's FiOS application, were exposed thanks to a flaw reported today. XDA senior software developer Randy Westergren said the FiOS API flaw since fixed allowed any account to be accessed by manipulating user identification numbers in web …
Darren Pauli, 19 Jan 2015
The F-35B doors open from the side. Credit: JSF Program

Snowden doc leak 'confirms' China stole F-35 data

China now knows what most people in the west are catching up with: that the F-35 Joint Strike Fighter is a lemon. The latest round of managed information release by Edward Snowden via Spiegel (one of a series) includes the snippet that Chinese security services copied “terabytes” of data about the aircraft. The release states …
Purported iPhone on the cover of a 2006 issue of the French publication, 20 Minutes

IT cock-up – not jihadi DDoS – fingered for French web media blackout

Several prominent ‪French news websites‬ fell off the web on Friday for several hours in what's looking like a technical failure rather than a denial-of-service attack. It was, at first, assumed Islamist miscreants had attacked the sites, lashing out in anger at press coverage of the C‪harlie Hebdo‬ killings. Le Parisien ( …
John Leyden, 17 Jan 2015
Tony Montana on the phone in Scarface

US drug squad cops: We snooped on innocent Americans' phone calls too!

The US Drug Enforcement Administration (DEA) has admitted that for years it kept a secret log of phone calls made by American citizens calling overseas. Much like the secret NSA and FBI databases, the DEA got its information under subpoena from American telecommunications companies, irrespective of whether or not the target had …
Iain Thomson, 17 Jan 2015
UK Prime Minister David Cameron with US President Barack Obama

Prez Obama snubs UK PM's tough anti-encryption crusade at White House meet

The UK and the US will collaborate more closely to prevent "cyberattacks," the two countries' respective leaders so bravely promised in a joint press conference on Friday. Following bilateral meetings in Washington DC this week, UK Prime Minister David Cameron and US President Barack Obama jointly announced new cooperative …
Neil McAllister, 16 Jan 2015
BMW's remote parking tech

BMW: ADMEN have asked us for YOUR connected car DATA

US technology companies and advertisers have been seeking access to the data generated by sensors in so-called "connected cars", a senior figure at German car manufacturer BMW has said. Ian Robertson, BMW head of sales and marketing, said BMW had so far resisted requests to share connected car data with those businesses, …
OUT-LAW.COM, 16 Jan 2015
Night scene of bank station in central london

Lazy FTSE 350 firms think lawyers can fight off cyber-security worries

Poor communication between boards and front-line management as well as a growing reliance on legal remedies mean UK companies are still falling short when it comes to cyber-security. A KPMG survey of FTSE 350 firms found that 61 per cent of board members reckoned they had a decent understanding of their company’s key information …
John Leyden, 16 Jan 2015

Young CHAP CUFFED in Blighty over Xmas Sony and XBOX hacks

UK coppers and the FBI have arrested a man in connection with the denial of service attack on Sony Playstation and Xbox systems in 2014. Hacking group the Lizard Squad claimed responsibility for the attacks last month, which caused major disruption to the platforms over Christmas. Officers from the South East Regional Organised …
Kat Hall, 16 Jan 2015
Canada Day celebration

Go Canada: Now ILLEGAL to auto-update software without 'consent'

Installing computer programs without consent became a civil offence punishable by fines in Canada this week. Under the new regulations that form part of Canada's anti-spam legislation, it is now illegal for a website to automatically install software on a visitor's computer or for an app on your phone to be updated without first …
John Leyden, 16 Jan 2015
The future of air war

US and UK declare red-team CYBER WAR – on EACH OTHER

The US and the UK are planning a series of joint war games involving cyber-warriors from either side attacking each other in a bid to expose security weaknesses before they are abused by criminal hackers or hostile governments. The exercises, which will initially test the security defences and procedures at banks on Wall Street …
John Leyden, 16 Jan 2015

Please use TWO HANDS to access AdultFriendFinder

Four hosts are behind one in two typosquatting attacks against the top 500 websites, research has found. The hosts and their fellow fraudsters had registered domain names mimicking three-quarters of the internet's 500 most popular websites, say University of Leuven researchers Pieter Agten, Wouter Joosen, and Frank Piessens, who …
Darren Pauli, 16 Jan 2015

GRENADE! Project Zero pops pin on ANOTHER WINDOWS 0-DAY

Google has once again decided Microsoft's moving too slowly on the security front – by dropping yet another proof-of-concept attack against a Windows 7 and 8.1 bug that Redmond tried and failed to fix this week. The flaw is present in Windows on 32- and 64-bit architectures, and can accidentally disclose sensitive information or …
Darren Pauli, 16 Jan 2015

Apple wants your fingerprints in the cloud

Apple wants to collect and store your fingerprints to spread its payment service and simplify download authorisation. Cupertino aspires to upgrade its TouchID with the capability to collect, encrypt and upload fingerprints to Apple servers so that users can verify their identities with a single print matched to those stored …
Darren Pauli, 16 Jan 2015
Central Intelligence Agency

CIA exonerates CIA of all wrongdoing in Senate hacking probe

A review panel has tossed aside accusations that the US Central Intelligence Agency hacked into computers used by Senate aides investigating the torture of terror suspects, saying the CIA did nothing wrong. The CIA has been criticized by several lawmakers – in particular, Senator Diane Feinstein (D-CA), who chairs the Senate …
Neil McAllister, 15 Jan 2015
Zombie rising from the grave

PROOF the undead STALK Verizon users: Admen caught using 'perma-cookie'

Researchers have spotted an advertising agency using Verizon’s indestructible cookies to silently track people across the internet. Back in 2012, Verizon started injecting a "unique identifier token header" (UIDH) into each HTTP request sent through its mobile data network; these identifiers are unique to each subscriber and …
Iain Thomson, 15 Jan 2015

Definitions matter. For crying out loud, securobods, BE SPECIFIC – ENISA

Definitions matter when your infrastructure is under threat says European Union Agency for Network and Information Security (ENISA). ENISA’s latest report, published on Thursday, concludes that there is an increase in the occurrence of routing threats, DNS threats and DDoS attacks to internet infrastructure. Its advice? Get your …
Jennifer Baker, 15 Jan 2015
Kindle Big Brother

Denmark mulls new EU-defying session-logging law

Danish authorities look set to bring back mandatory internet session logging despite an EU ruling last year that blanket data retention is illegal. Last May the European Court of Justice (ECJ) concluded that the EU Data Retention Directive was “a particularly serious interference with fundamental rights”, meaning countries …
Jennifer Baker, 15 Jan 2015
Don Draper is sad

Spammers set their sights on WhatsApp – that's that ruined then

Mobile spam is spreading from SMS channels towards mobile messaging apps such as WhatsApp, according to mobile security provider and specialist AdaptiveMobile. The company believes spammers have switched tactics over recent months in order to bypass existing mobile spam filters. App spam is particularly prevalent in mature …
John Leyden, 15 Jan 2015

Microsoft cracks personalisation without prying

A Microsoft research trio has developed an algorithm capable of eliminating user tracking in web search without the overheads of existing technology. The idea, to be presented next month and titled Bloom Cookies: Web Search Personalisation without User Tracking, uses a new type of flowery cookies that can tightly-encode user …
Darren Pauli, 15 Jan 2015
David Cameron

David Cameron: I'm off to the US to get my bro Barack to ban crypto – report

UK Prime Minister David Cameron is hoping to gain the support of US President Barack Obama in his campaign-year crusade to outlaw encrypted communications his spies can't break, sources claim. As reported by the Wall Street Journal, the Conservative Cameron would like to see left-leaning Obama publicly criticize major US …
Neil McAllister, 15 Jan 2015
Sony Pictures

Sony hack was good news for INSURERS and INVESTORS

Whoever hacked Sony Entertainment at the end of November changed information security forever. Where once hackers had been most concerned to gain access to the honeypots of credit cards and bank accounts, this theft had a different goal, one that became clear with the steady release of Sony’s most intimate secrets throughout …
Mark Pesce, 15 Jan 2015
Random numbers

Security? Don't bother until it's needed says RFC

All-or-nothing approaches to security are part of what's making it so hard to achieve acceptable protection, a new RFC suggests. Written by Viktor Dukhovni of Two Sigma, RFC 7435 argues that the way current systems fail is a discouragement to good security. A binary failure – if two peers in a conversation don't have the same …

Got a GE industrial Ethernet switch? Get patching

GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches. IOActive disclosed the vulnerability to ICS-CERT, which issued this advisory (details here CVE-2014-5418 and here CVE-2014-5419). The vulnerability occurs in various GE Multilink managed Ethernet …
This Old Box - S-100 COEX RAM card

VMware finds new post-paranoia RAM-saving tricks

VMware is rejigging the way it shares memory among virtual machines, after turning off Transparent Page Sharing (TPS) because academics identified insecurities in the technology. TPS allows virtual machines to make more efficient use of RAM, so that more VMs can run on a host. But as VMware acknowledged in December 2014, “recent …
Simon Sharwood, 15 Jan 2015

Cryptolocker 3.0 scum bounce victims over Invisible net

Cryptowall 3.0 uses Tor and its little sister I2P to carry chatter between victims and controllers keeping it away from researchers and law enforcement, French anti-malware crusaders say. Researchers Kafeine (@Kafeine) and Horgh (@Horgh_RCE) have released a technical analysis on the malware identified by Microsoft late last year …
Darren Pauli, 15 Jan 2015
IEEE 1905.1 home

It's 2015 and home routers still leave their config web servers wide open

Broadband routers from ADB Pirelli – used by Movistar in Spain and an ISP in Argentina – are vulnerable to at least two nasty security weaknesses, it's claimed. The ADB Pirelli ADSL2/2+ Wireless Routers can be trivially controlled remotely from across the internet, allowing someone to surreptitiously monitor or disrupt home …
John Leyden, 15 Jan 2015
padlock

ISO floats storage security standard

The International Standards Organisation reckons the world needs help securing its data, so has published a new storage security standard to cover it. Because The Register isn't about to shell out 198 Swiss Francs to read the whole thing, we're constrained in our ability to tell you exactly what it contains, but we note that the …