Security > More stories

Bitcoin holding decline

Mt Gox LEAKED Bitcoin for years before heist, says WizSec

WizSec, a Tokyo-based group that's been investigating the Bitcoin thefts that eventually led to the unravelling of Mt Gox, reckons the crypto-currency was going missing from the trading firm long before it collapsed. The group's analysis suggests that the pilfering goes back as far as 2011, leading to a shortfall when Mt Gox …

Lawyer: Cops dropped robbery case rather than detail FBI's StingRay phone snoop gizmo

Prosecutors in St Louis, Missouri, have dropped a criminal robbery case to avoid revealing details of a controversial mobile phone surveillance program, a defense attorney has claimed. The St Louis Post-Dispatch reported that the state dropped more than a dozen charges against three defendants just one day before police were …
Shaun Nichols, 21 Apr 2015
pipes

Web advertising giant (Google) to spew ads over web – using HTTPS

Google has vowed to serve ads over HTTPS from its massive advertising network. The move will make it easier for website owners to go fully SSL-protected, serving their webpages and ads over HTTPS rather than just the pages over HTTPS and mixing in ads over HTTP, which is insecure. It also means each ad and its link can't be …
Darren Pauli, 20 Apr 2015
Hacked US CENTCOM Twitter account

IT'S WAR: Hacktivists throw in their lot with spies and the military

Feature Hacktivism has lost its innocence. Once characterised in the early days of Anonymous back in 2008 by assaults against the Church of Scientology, it has now become part and parcel of far darker plans, such as the spread of terrorist propaganda by Islamic militants. Meanwhile, over in the Ukraine, cyber militias of patriot hackers …
John Leyden, 20 Apr 2015
Raytheon Patriot

Raytheon borgs Websense to create cybersecurity behemoth

Defence giant Raytheon has agreed a deal with Vista Equity Partners to form a new company combining Websense with Raytheon Cyber Products. The new joint venture (Raysense? Webtheon?) will combine Raytheon Cyber Products with Websense's TRITON line of web filtering and other enterprise security products. Raytheon – known for the …
John Leyden, 20 Apr 2015
The Kremlin in Moscow. Pic: Pavel Kazachkov

Kremlin hackers exploited TWO 0-day Flash, Windows vulns

A hacking group probably backed by Russia has been making use of two zero-day exploits to target foreign governments. The so-called "Operation RussianDoll" attackers used zero-day exploits in Adobe Flash and Windows to target a specific foreign government organisation. Security firm FireEye says the pattern of the attacks fits …
John Leyden, 20 Apr 2015

Anonymous unleashes online petition against US info-sharing bills

Activist and hacktivist collective Anonymous has launched an online awareness-raising operation opposing pending controversial US information-sharing bills. Critics from across the political spectrum, including libertarian-minded technologist Robert Graham, argue that the Cybersecurity Information Sharing Act sacrifices privacy …
John Leyden, 20 Apr 2015

High on bath salts, alleged Norse god attempts tree love

A 41-year-old Florida man is facing a pantheon of charges after allegedly getting hammered on bath salts, declaring himself to be Norse storm god Thor, attempting to commit "a sexual act on a tree", shrugging off two taserings, and assaulting a police officer. According to this report, Kenneth Crowder was spotted this month …
Lester Haines, 20 Apr 2015
Pinocchio CC 2.0 Flickr https://www.flickr.com/photos/jepoirrier/

Microsoft proves Pinocchio's a real boy with proofs tool

Microsoft cloud wonks have developed a tool for developers capable of practical generation of proofs that an outsourced job has been crunched securely. The team of eight including Craig Costello; Cedric Fournet; Jon Howell; Markulf Kohlweiss ; Michael Naehrig, and Bryan Parno together with University of Virginia boffins Benjamin …
Darren Pauli, 20 Apr 2015

Your city's not smart if it's vulnerable, says hacker

"Real world hacker" Cesar Cerrudo has blasted vendors, saying they're stopping security researchers from testing smart city systems, and as a result they're being sold with dangerous unchecked vulnerabilities. The warning will be detailed at RSA San Francisco this week, and comes a year after the IOActive chief technology …
Darren Pauli, 20 Apr 2015
Google demonstrates new HTTPs feature

Google makes life easier for mixed-content sysadmins

Rejoice, sys admins with big non-encrypted image databases: Google feels your pain and says the next version of Chromium, 43, will provide some relief. One of the challenges, the Chocolate Factory reckons, is that old sites with lots of non-HTTPS resources can't be migrated with a simple flick of the switch. In current browsers …
Skull image

Watch: Nasty JPEG pops corporate locks on Windows boxes

Vid Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks. In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal. …
Darren Pauli, 20 Apr 2015
Parking meter FAIL from Ryan Stele's Flickr account  https://www.flickr.com/photos/tweek/139509551/in/photolist-dk2k6-8VcmSf-5w27pU-7RdimR-7RdiiK-7RdifK-7Rgz8f-7Rdiai-czUVBh-9Ls61i-5cY5jG-9bGK2Y-6VH3Xz-5YVGNT-abaRJ9-6PjTC5-6opqMB-jitAoe-5Yvee7-65tNZD-5xf3hB-a9Zegh-845DZg-ocfXQT-bfZB5z-aWWvax-bVe3vu-6yra6f-6yra4A-8nudtt-6WhDiL-6qNQyT-7YYReC-6yra5N-6yra3w-6yra2Y-6yn2HX-a6MPYs-6yn2Qx-6yn2Pv-6yra49-6yra2q-6yn2Hx-6yra57-6qT1yb-55rYVK-6yra75-6yr9ZQ-6odx71-68EVsF

Google broke own security with April fool gag

On April 1st Google had a bit of fun by using the com.google domain to display all content backwards, but the folks at Netcraft think that jape backfired by introducing security vulnerabilities to the search engine. Netcraft's security folks say the joke “... inadvertently undermined an important security feature on Google's …
Simon Sharwood, 19 Apr 2015

Raytheon suspected of readying for Websense slurp

The biz-wires are abuzz with industry talk that enterprise net-filter outfit Websense will be slurped by Raytheon for a cool $US1.9 billion. Now an e-mail and Web security company with deployment options from the desktop to the cloud, Websense had long lived under the wing of private equity company Vista Equity Partners (VEP). …
Grand Theft Auto Lindsay Lohan lookalike

BLAM! Valve slams brakes on Steam flimflam with $5 spam scram plan

Video-gaming kingpin Valve has promised to do a better job of protecting its subscribers from dollops of spam, by applying a $5 limit on user accounts before unlocking a number of key features. The company explained the new strategy in a post on its support forum. It said that features – including friend invites, group chat, …
Kelly Fiveash, 19 Apr 2015

Colombian hacker who spied on gov-rebel peace talks jailed for 10 years

A Colombian hacker has been incarcerated for 10 years for spying on the local government’s peace talks with Marxist rebels, among other offences, Fox News Latino reports. Andrés Sepúlveda received the harsh sentence even after he admitted snooping on both sides during government negotiations with the Revolutionary Armed Forces …
John Leyden, 17 Apr 2015

EMC buys cloudy Canuck security company CloudLink

EMC has bought CloudLink – a 20-person Canadian firm specialising in cloud data security software – for an undisclosed price. The software is SecureVM, which provides end-to-end data encryption for hybrid clouds, covering both at-rest and in-flight data for virtualised servers. It’s been an EMC Select Partner since 2013 and …
Chris Mellor, 17 Apr 2015

UK now part of another Euro data-spaff scheme

The United Kingdom has joined the European Union's new Schengen Information System II (SIS II), a multinational database-sharing platform for member states' authorities to access each others' databases in real time. Following the Council of the European Union's decision of 12 February, the UK has, as of this week, been given …
eyeofSauron

Lack of secure protocol puts US whistleblowers at risk, says ACLU

Responding to the recent proposal for a "HTTPS-Only Standard", the American Civil Liberties Union has stressed the value of a more thorough and timely implementation of functional transport encryption. The non-profit organization noted that at least 29 US federal websites do not currently use HTTPS to protect sensitive …
Google Play Store

'Hackers racked up $$$$s via the Android Play Store, and Google won't pay me back'

A California woman is suing Google, alleging hackers exploited the ad giant's inadequate security to run up thousands of dollars in charges on her Play Store account. Susan Harvey, of Orange County, also accuses Google of refusing to reimburse her, and then after backing down and agreeing to refund the missing money, has not …
Shaun Nichols, 17 Apr 2015

WW2 German Enigma machine auctioned for record-breaking price

A three-rotor Engima machine was sold for a record $269,000 at a Bonhams auction earlier this week. The machine is in complete working condition and was manufactured for the German military in Berlin in July 1944. The Enigma machines were, for their time, sophisticated encryption devices, and were used to encrypt Morse-coded …

The Internet of things is great until it blows up your house

A few months ago I had a chat about the Internet of Things with the design head of a well-known home appliance manufacturer. Gartner had just published 2014’s hype chart,, and with the Internet of Things sitting at the very peak of the hype cycle, he reckoned it might be an interesting way to differentiate his firm’s products in …
Mark Pesce, 17 Apr 2015
WikiLeaks Sony document release logo

WikiLeaks reveals searchable trove of Sony Pictures documents

Wikileaks has decided Sony Pictures is worthy of its attention by releasing 30,000 documents it says were lifted from the company's servers during the infamous 2014 attack. Wikileaks' justification for publishing the new trove is that Sony “is a member of the [Motion Picture Association of America] MPAA and a strong lobbyist on …
Simon Sharwood, 17 Apr 2015

Netflix's house of cards to be fortified with HTTPS appliance

Netflix will this year roll out HTTPS to keep customer's viewing habits secret. The streaming company's April earnings letter (PDF) says it will make the move because it "helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or …
Darren Pauli, 17 Apr 2015

Governments lodge just 10 subpoenas for GitHub user info

Law enforcement agencies find Github geeks so boring they submitted a paltry ten subpoenas last year to gain information on 40 of the site's eight million active accounts. GithHub's transparency report for requests received during 2014 reveals information was provided to legal requesters in seven of these cases and about half of …
Darren Pauli, 17 Apr 2015

Public exploit crashes Minecraft servers

A huffy hacker has published detailed steps for anyone to pull off an 'easy' Minecraft exploit capable of causing servers to crash. Developer Ammar Askar dropped the hack which allows attackers to send malformed packets that can crash Minecraft servers by exhausting its memory. The exploit publication comes two years after …
Darren Pauli, 17 Apr 2015
AVSWinvote box

Default admin password, weak Wi-Fi, open USB ports ... no wonder these electronic voting boxes are now BANNED

The US state of Virginia is decommissioning a long-serving electronic voting system after learning of its gaping security holes. The state's Board of Elections was urged to decertify the Wi-Fi-connected Advanced Voting Systems WINVote system after the boxes were found to lack basic security measures against physical and …
Shaun Nichols, 17 Apr 2015

Sysadmins, patch now: HTTP 'pings of death' are spewing across web to kill Windows servers

The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites. The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability on Tuesday …
Iain Thomson, 16 Apr 2015

Google: Go ahead, XP stalwarts, keep on using Chrome safely all YEAR

Even though Microsoft quit supporting the wildly popular Windows XP last year, Google has decided to give XP users a break by promising to ship updates and security fixes for its Chrome browser on the aging operating system for a few more months. Wayyyyy back in 2013, the Chocolate Factory told Chrome users that they had better …
Neil McAllister, 16 Apr 2015
Two upended shopping trolleys in an alleyway. Photo by Cyron, licensecd under CC 2.0

Bank-card-sniffing shop menace Punkey pinned down in US Secret Service investigation

Security researchers have identified a new strain of point-of-sale (POS) malware during an investigation led by the US Secret Service. Stolen payment card information and the IP addresses of more than 75 infected sales tills were found by security researchers at Trustwave during the probe. It's unclear how many victims the so- …
John Leyden, 16 Apr 2015

Miscreants rummage in lawyers' silky drawers at will, despite warnings

UK data privacy watchdogs at the ICO investigated 173 UK law firms for reported breaches of the Data Protection Act (DPA) last year. A total of 187 incidents were recorded last year, with 173 firms investigated for a variety of DPA-related incidents, of which 29 per cent related to "security" and a similar 26 per cent related to …
John Leyden, 16 Apr 2015

Ukraine conflict spilling over into cyber-crime, warns former spy boss

Infiltrate Russian intelligence has begun sharing advanced malware developed for cyber-espionage with cyber-criminals, a former Canadian spy boss warns. Ray Boisvert, former assistant director and head of intelligence for the Canadian Security Intelligence Service (CSIS), told El Reg that Russian security agencies are sharing advanced …
John Leyden, 16 Apr 2015
You can't fight in here, this is the war room!

APT group hacks cyber-spy gang in spy-on-spy pwnage

Cyber-spy groups, whose numbers are growing with little constraint, have begun hacking each other. Hellsing, a small and technically unremarkable cyber-espionage group, was subjected to a spear-phishing attack by another threat actor last year, before deciding to strike back with its own malware-infected emails. The aftermath …
John Leyden, 16 Apr 2015

D-Link router patch creates NEW SOHOpeless vuln

Hacker Craig Heffner says D-Link has not only failed in its bid to patch its DIR-890L router but has managed to introduce a new vulnerability instead. The Tactical Network Solutions router wrecker says D-Link's quadcopter-esque AC3200, reviewed elsewhere as " the most insane router in the history of mankind", is open to …
Darren Pauli, 16 Apr 2015

Target settles with MasterCard for US$19 million

US retailer Target's ongoing attempts to mop up after its colossal data breach have taken another step forward, after it settled with MasterCard. The deal will see the retailer toss US$19m into a pot that MasterCard will use to make “alternative recovery offers … to eligible MasterCard issuers worldwide that issued MasterCard- …
Simon Sharwood, 16 Apr 2015

Borg routers open to repeat remote DoS attack

Remote attackers can send some Cisco routers into a continuous denial of service funk by rebooting network processor chips with a crafted attack. The high-severity hole (CVE-2015-0695) affects the IOS XR software in Cisco ASR 9000 Series Aggregation Services routers running Typhoon-based cards, the second-generation of line …
Darren Pauli, 16 Apr 2015

Dropbox launches 'limitless' bug bounty

Dropbox has launched a no-limit bug bounty program, back-paying US$14,875 so far for previously and newly-reported vulnerabilities. The HackerOne bounty, which supplements the company's external penetration testing efforts, is unusual in offering back payment for critical vulnerabilities that white hat hackers had already …
Darren Pauli, 16 Apr 2015
Silhouette of spy discerning password from code uses a command on graphic user interface

'Arkansas cops tried to hack me with malware-ridden hard drive'

A lawyer representing three police whistleblowers has claimed a hard drive sent to him with evidence for his case was deliberately infected with password-stealing malware. Matthew Campbell, a lawyer with the Pinnacle Law Firm in North Little Rock, Arkansas, is working on behalf of three past and present officers of the Fort …
Iain Thomson, 15 Apr 2015
Oracle headquarters

Oracle grunts, grimaces, pushes out 98-flaw security patch batch

Oracle has patched nearly 100 security flaws in Java, Fusion Middleware, Database, MySQL and other products. For Java SE, the update fixes 14 CVE-listed bugs. All of the flaws are remotely exploitable without authentication to compromise a victim's computer, and three were given risk assessment scores of 10 out of 10. (Psst ... …
Shaun Nichols, 15 Apr 2015

There's TOO MANY data-leaking healthcare firms, growls Symantec

Security software company Symantec is being drenched in calls from breached health organisations that have lost devices or suffered an information security snafu. Some 80 per cent of the calls its incident response team has received since December are from healthcare firms, topping the charts for the number of breach incidents …
Darren Pauli, 15 Apr 2015
Cisco 7609 router interface cabling

Troubleshooting feature on Cisco routers is open to data-slurp abuse

Infiltrate A default feature of Cisco routers can readily be abused to collect data, security researchers warn. Embedded Packet Capture (EPC) was designed by Cisco as a troubleshooting and tracing tool. The feature allows network administrators to capture data packets flowing through a Cisco router. Brazilian security researchers Joaquim …
John Leyden, 15 Apr 2015

Don't collect bugs, invest in fly-spray says bug bounty operator

Kate Moussouris says security defenders should spend cash to acquire and build the tools of the bug hunting trade rather than dole out cash for warm bodies or endless zero day. The chief policy officer for bug bounty outfit Hacker One and former Microsoft security boffin says in new research that defenders need to catch up to …
Darren Pauli, 15 Apr 2015