Security > More stories

Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …
John Leyden, 23 Jul 2015
Larry Page's new yacht, 'Senses'

Investors fling fresh cash at Mike Lynch-backed Darktrace

Cyber security outfit Darktrace, which is backed by billionaire superyacht owner Mike Lynch, has raised yet more cash, this time drumming up the princely sum of $22.5m (£14.4m). Darktrace uses machine learning and mathematics to detect early-stage cyber threats. The biz was founded by former members of the intelligence …
Kat Hall, 23 Jul 2015
band_aid_648

Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details. All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows …
John Leyden, 23 Jul 2015
shutterstock_282226826-Internet-of-things

Cyber poltergeist threat discovered in Internet of Stuff hubs

New security research has revealed a whole new area of concerns for the soon-to-be-everywhere Internet of Things – smart home hubs. Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – can be dangerously vulnerable to attack, according to security tools firm TripWire. Craig Young, a …
John Leyden, 23 Jul 2015

Flash zero-day monster Angler dominates exploit kit crime market

SophosLabs researcher Fraser Howard says the Angler exploit kit is dominating the highly competitive underground malware market: Angler's market share has exploded from a quarter to 83 per cent within nine months. The growth occurred between September and May this year, we'e told. Angler emerged in 2013 to become one of the …
Darren Pauli, 23 Jul 2015

Cloudy VMs leak ID details that could allow attacks, says researcher

Research published by a US masters student reaches the somewhat unsettling conclusion that current cloud technologies don't separate virtual machines (VMs) as well as they could. By spying on shared resources at a low level, the research suggests, an attacker's VM can retrieve data written by another (like crypto keys), and …
Customer RCSAndroid upgrade e-mail

Hacking Team had RATted on Android: Trend Micro

The next piece of weaponised malware to emerge out of the Hacking Team leak has arrived: a Remote Access Trojan (RAT) for Android. Trend Micro researchers trawling the 400 GB of leaked files apparently have the honour of first discovery: RCSAndroid, it says, is “one of the most professionally developed and sophisticated” …

Microsoft launches Advanced Threat Analytics

Microsoft's Advanced Threat Analytics is going general-availability next month, so – as Redmond says – enterprises can more quickly spot intruders in their networks. Since the last preview version, ATA engineering head Idan Plotnik says the framework has 13 new features to make it more scalable, with improved threat detection …
Team Register, 23 Jul 2015

OpenSSH server open to almost unlimited password-guessing bug

A flaw in OpenSSH lets attackers bypass simple limits on the number of password login attempts that can be made per connection. By default, the encrypted service accepts six tries within a grace period of two minutes before breaking off a connection, which hampers brute-force attacks, but this mechanism can be easily …
Darren Pauli, 23 Jul 2015

Jeep hackers broke DMCA, says EFF, and that's stupid

It's pretty obvious really: the Electronic Frontier Foundation (EFF) has pointed out that the researchers responsible for the now-infamous “Jeep hack” broke America's Digital Millennium Copyright Act (DMCA). Similarly obvious, they say, is that such research should be legal if Detroit wants to avoid creating the cyber-Pinto. …

Microsoft joins attack on 'non-consensual pornography'

Microsoft has joined the online drive against so-called "revenge porn" in which people's naked or otherwise embarrassing/erotic pictures are posted widely online. In June, The Chocolate Factory announced an initiative to let individuals report images and videos for removal. Microsoft's now done likewise, with chief online …

Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet

Code dive You can bypass Apple's space-age security and gain administrator-level privileges on an OS X Yosemite Mac using code that fits in a tweet. Yosemite, aka version 10.10, is the latest stable release of the Mac operating system, so a lot of people are affected by this vulnerability. The security bug can be exploited by a logged- …
Chris Williams, 22 Jul 2015

Security tool bod's hell: People think I wrote code for Hacking Team!

A respected security researcher has denied any involvement with Hacking Team after open-source code he wrote was found in smartphone spyware sold by the surveillance-ware maker. Collin Mulliner works in SecLab at Northeastern University in Massachusetts, US, and is a regular at hacking conferences. He told The Register he's …
Iain Thomson, 22 Jul 2015
lottery

Lottery IT security boss guilty of hacking lotto computer to win $14.3m

Iowa state lottery's IT security boss hacked his employer's computer system, and rigged the lottery so he could buy a winning ticket in a subsequent draw. On Tuesday, at the Polk County Courthouse in Des Moines, Iowa, the disgraced director of information security was found guilty of fraud. Eddie Tipton, 52, installed a …
Iain Thomson, 22 Jul 2015

Hark, the Hacking Team angels sing, it’s not us who’ve actually sinned

The Hacking Team pushed out a new statement on Wednesday, moaning that the only victim of the mega-breach against its systems is Hacking Team itself. Eric Rabe, the firm's chief marketing and communications officer, complained that the controversial outfit is “being treated as the offender, and the criminals who attacked the …
John Leyden, 22 Jul 2015

Report links alleged US, Israeli cybercrims with JPMorgan MEGAHACK

Federal authorities in America have charged five men who are being indirectly connected with the attack and data breach at JPMorgan Chase last summer, after the global bank, with total assets of $2.6tn, lost the contact data for millions of customers. The attack now appears to have been sourcing targets for a fraudulent …
Fibre Optic by Barta IV https://www.flickr.com/photos/98640399@N08/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Pakistan wants to copy GCHQ and eavesdrop on world+dog's comms

Pakistan's intelligence agencies want to snoop on all communications crossing its borders. Documents published by Privacy International (PI) on Wednesday (PDF) show Pakistan’s Inter-Services Intelligence (ISI) agency proposed a programme to monitor all international IP traffic coming into and out of the country, encompassing …
Jennifer Baker, 22 Jul 2015

Catch 'em while you can! Presenting Druva's virtual open door detector

Think checking doors and windows every night so as to stop burglars scrambling through to rob you. Well, now your personal data can be handled in the same way, with Druva's end-point protection services identifying risky exposure to sensitive information loss by scanning backed-up data and alerting compliance teams. Its inSync …
Chris Mellor, 22 Jul 2015

Nigerian prince swaps the sweet talk for keyloggers and exploits

Nigerian 419 scammers have taken to the crime-as-a-service model using cash to plug their technical capability shortfalls to build malware campaigns that could be making millions, according to FireEye researchers. Erye Hernandez, Daniel Regalado and Nart Villeneuv said that scammers, notorious for their attempts to fleece the …
Darren Pauli, 22 Jul 2015

Joomla Helpdesk Pro remote code exec vulns lead to server pwnage

Outpost24 researcher Kasper Bertelsen has warned of several vulnerabilities in Joomla's Helpdesk Pro which can lead to remote code execution on servers. The Helpdesk Pro Joomla extension allows users to categorise and log support tickets with managers who receive notifications. eBay, Heathrow Airport and the High Court of …
Darren Pauli, 22 Jul 2015

Google, Facebook and chums launch web blacklist to nail ad scammers

Tech big wigs including Facebook and Yahoo! have forged a giant blacklist to block fake web traffic contributing to advertising fraud, said Google ad man Vegard Johnsen. The Trustworthy Accountability Group (TAG) pilot program will nix bot traffic using a blacklist which could cut a significant portion of web traffic; Google's …
Darren Pauli, 22 Jul 2015
Car crash

Jeep drivers can be HACKED to DEATH: All you need is the car's IP address

Anyone driving about in a new Jeep Cherokee should update its software: at the moment the car's brakes and engine can be remotely controlled by anyone with an internet connection. This update might not sound particularly important, but trust me, if you can, you really should install this one. pic.twitter.com/qhTCrBIho8 — …
Iain Thomson, 21 Jul 2015

Ashley Madison invites red-faced cheats to bolt stable door for free

Adulterous hook-up site Ashley Madison is allowing all members to fully delete their profiles without charge in the aftermath of a serious data breach that threatens the site' future. Previously, if users wanted to delete their records (profile, pictures and messages sent through the system) they were obliged to pay around $20 …
John Leyden, 21 Jul 2015
Laurel and Hardy on the phone

Scammers going after iOS as fake crash reports hit UK

Tech support scammers have begun targeting UK iPhone and iPad users, offering to fix problems that don't actually exist. Cold call scams that seek to hoodwink Windows users into paying for useless remote diagnostic and cleanup services have been an issue for years. More recently, scammers have broadened their sights to target …
John Leyden, 21 Jul 2015

The roots go deep: Kill Adobe Flash, kill it everywhere, bod says

Fortinet security researcher Bing Lui has warned users that they can still be p0wned if they only disable Adobe Flash in web browsers. Lui's warning speaks to advice last week that users dump Flash to bolster security in the wake of the public disclosure of three zero day vulnerabilities (CVE-2015-5122. CVE-2015-5123, and CVE- …
Darren Pauli, 21 Jul 2015

Black Hat 2015: 32 SCADA, mobile zero-day vulns will drop

Gird your loins, admins; researchers are set to drop 32 zero-day vulnerabilities at the Black Hat hacking fest in Las Vegas in August. The vulnerabilities have not been disclosed but they will affect mobile devices and Supervisory Control and Data Acquisition (SCADA) systems among other platforms. "We have 32 different zero- …
Darren Pauli, 21 Jul 2015

Dumb MongoDB admins spew 600 TERABYTES of unauthenticated data

Shodan hacker John Matherly says system administrators have exposed some 595.2 terabytes of data by using poorly-configured or un-patched versions of the popular MongoDB database. eBay, Foursquare, and The New York Times are some of the prominent users of the open source MongoDB which is the most popular NoSQL database. …
Darren Pauli, 21 Jul 2015
Still from the movie Zoolander: Derek and a fellow model try to get the 'files' out of the Mac by smashing it to pieces. copyright Paramount Pictures

America's tweaks to weapons trade pact 'will make web less secure'

The period for comments on proposed amendments to the Wassenaar Arrangement – which governs the export of guns, lasers and proper weaponry, and computer hardware and software – ends today. So far, the tweaks concerning IT security products have received an overwhelming thumbs-down from the technology community. In May the US …
Iain Thomson, 21 Jul 2015

Snowden to the IETF: Please make an internet for users, not the spies

NSA whistleblower Edward Snowden has urged the world's leading group of internet engineers to design a future 'net that puts the user in the center, and so protects people's privacy. Speaking via webcast to a meeting in Prague of the Internet Engineering Task Force (IETF), the former spy talked about a range of possible …
Kieren McCarthy, 20 Jul 2015
drone

Spyware-spewing Wi-Fi drone found on Hacking Team, Boeing's todo list

Leaked emails have exposed plans by Hacking Team and a Boeing subsidiary to deliver spyware via drones for sale to government agencies. The scheme proposed the use of unmanned aerial vehicles (UAVs or drones) to deliver Hacking Team's Remote Control System Galileo spyware via Wi-Fi networks from above. Boeing subsidiary Insitu …
John Leyden, 20 Jul 2015

Microsoft: Hey, you. Done patching Windows this month? WRONG

Microsoft is urging everyone to install an emergency security update for all supported versions of Windows to fix a remote-code execution vulnerability. Details of the vulnerability were found and reported to Microsoft by security researchers poring over internal memos leaked online from spyware-maker Hacking Team. This …
Chris Williams, 20 Jul 2015

The Ruskies are coming for you, NSA director tells City bankers

Defence bigwigs have issued a stern warning to financial companies at the London Stock Exchange that "so-called patriotic hacker groups" may soon embiggen their attacks on the City and Wall Street. The talk, organised by the Royal United Services Institute (RUSI) along with the FCA and Bank of England, noted how Western banks …
Bond tries to decipher is tailor

British spooks wave through Samsung S6 mobes for UK govt bods

Samsung's new handsets have been given the seal of approval from the information assurance arm of Britain's intelligence agency. The South Korean tech multinational reckoned that the certification was the first of its kind to be dished out to a mobile vendor in Blighty. Samsung's Galaxy S6 and S6 edge models were granted the …
Team Register, 20 Jul 2015

Norton for Windows 10 is NOT a box-borking beta, insists Symantec

A recent update to Norton designed to add compatibility for Windows 10 is incompatible with mainstream Windows releases, according to some users. Symantec is denying that these issues are anything worse than teething problems, although this has so far failed to placate critics. Users are loudly complaining about borked Win 8. …
John Leyden, 20 Jul 2015
Android icon desktop toys

Fragmented Android development creating greater security risks

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned. The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in …
John Leyden, 20 Jul 2015
Blackmail

Ashley Madison hack: Site for people who can't be trusted can't be trusted

Ashley Madison, a popular website for married people wishing to cheat on their other halves, has been hacked with obviously serious implications for those whose details it held. Previously unknown hacking group The Impact Team posted online caches of personal data stolen from the website, whose motto is "Life is short. Have an …
John Leyden, 20 Jul 2015

North Korea's Red Star Linux inserts sneaky serial content tracker

ERNW security analyst Florian Grunow says North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags. The operating system, developed from 2002 as a replacement for Windows XP, was relaunched with a Mac-like interface in 2013's version three. The newest version emerged in January …
Darren Pauli, 20 Jul 2015
Wall of Spam. Pic: freezelight

Spamquake subsides: less than half of email is now processed pork

Spam levels have fallen to below 50 per cent of all email sent for the first time in a decade, according to security firm Symantec. The milestone comes from a 1.8 per cent decline in spam rates from last month, when spam accounted for 51.5 per cent of sent email. Threat bod Ben Nahorney said it was the lowest rate since …
Darren Pauli, 20 Jul 2015

Crims bait phishing hooks with Flash, cast at US Gov agencies

Hackers are attempting to break into US Government agencies using a recently patched Adobe Flash vulnerability, the FBI is warning. The attacks target flaw CVE-2015-5119 revealed and patched earlier this month that can if exploited allow attackers to run malware on victim machines. The agency warned of the attacks which began …
Darren Pauli, 20 Jul 2015

Hacking Team hackers questioned over Hacking Team hack

Reports have emerged that ex-staff of hacked spookware-spaffer Hacking Team have been questioned by police in Milan. According to Reuters, Italian police have questioned six ex-employees of the company, adding that the unnamed staff in question were already suspected of leaking the company's secrets. Spookeware boss David …

Microsoft to spoofed Skype users: Change your account passwords NOW

An unknown number of frustrated Skype customers have been pestered by spoof messages on the Microsoft service for weeks, but the company is yet to close what appears to be a gaping hole in its software. Instead, Redmond has advised Skype users to change their account passwords. But complaints are building up about the lack of …
Kelly Fiveash, 19 Jul 2015

Cyber-security's dirty little secret: It's not as bad as you think

New research from the Global Commission on Internet Governance has reached a surprising conclusion: cyberspace is actually getting safer. The report [PDF] starts from a simple enough premise: while we are constantly told that incidents of cyberattacks and online security threats are increasing, are they growing relative to the …
Kieren McCarthy, 18 Jul 2015