Security > More stories

email

Uni staffer's health info blabbed in email list snafu

The University of East Anglia has been involved in a personal data breach for the second time in five months. Around 300 postgraduate students in the received an email on Sunday 5 November which contained "personal information about the health of a member of staff", due to the accidental use of an email distribution list. UEA …
Richard Priday, 09 Nov 2017
shutterstock_225964027-pizz

Not even ordering pizza is safe from the browser crypto-mining scourge

A total of 2,531 of the top 3 million websites (1 in 1,000) are running the Coin Hive miner, according to new stats from analytics firm Red Volcano. BitTorrent sites and the like were the main offenders but the batch also included the Ecuadorian Papa John's Pizza website [see source code]. JavaScript-based Coin Hive crypto- …
John Leyden, 09 Nov 2017
Pen Test Partners' data-stealing screen

Evil pixels: Researcher demos data-theft over screen-share protocols

It's the kind of thinking you expect from someone who lives in a volcano lair: exfiltrating data from remote screen pixel values. The idea comes from Pen Test Partners' Alan Monie, taking a break from sex toy hacks and wondering how to get data over a connection like RDP (remote desktop protocol) when the target had blocked …
threats image

Microsoft pals up with partners for threat-hunting

Windows Defender Advanced Threat Protection first landed as a public preview in September, and now its general availability, Microsoft has announced a bunch of partners to give it cross-platform support: Bitdefender for Linux and macOS, Lookout for iOS and Android, and Ziften for macOS and Linux). With Bitdefender's …
fail_parking_meter_648

Brit moron tried buying a car bomb on dark web, posted it to his address. Now he's screwed

A British teenager who tried to order a car bomb on the dark web and get it delivered to his address has been found guilty this week. Failure ... Gurtej Randhawa (Source: NCA) Gurtej Randhawa, 19, of Wightwick, in the West Midlands of England, was cuffed by cops in May after purchasing what he thought was what's legally …
Iain Thomson, 09 Nov 2017

Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Positive Technologies, which in September said it has a way to drill into Intel's secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration. The biz has already promised to demonstrate a so-called God-mode hack this December, saying they've found a way …
Bank vault

Quantum computers could crack Bitcoin, but fixes are available now

An international group of quantum boffins reckons Bitcoin could be broken by the year 2027. The researchers from Singapore, Australia and France say that scenario represents the worst case, and would see a quantum computer able to run Shor's algorithm against the cryptocurrency's protective elliptic curve signature quicker …
Mayer

Marissa! Mayer! pulled! out! of! retirement! to! explain! Yahoo! hack! to! Senators!

Poor Marissa Mayer. After selling off Yahoo! and floating away on her golden parachute, she must have been looking for a nice rest. But US Congress wanted her to explain how every single user account on the portal got hacked. On Wednesday, she testified before the Senate Committee on Commerce, Science, and Transportation on …
Iain Thomson, 08 Nov 2017

Credential-stuffing defence tech aims to defuse password leaks

A system that aims to identify stolen passwords before breaches are reported or even detected was launched on Tuesday. Shape Security's Blackfish credential defence system is designed to detect the use of stolen usernames and passwords by criminals and in real time. The technology is a mechanism for organisations to identify …
John Leyden, 08 Nov 2017
voting

Where hackers haven't directly influenced polls, they've undermined our faith in democracy

What a difference a year makes. This time last year, Twitter pooh-poohed any suggestion that Russian agents ran accounts on its platform for purposes of subverting the US election. A month ago, it was forced to eat its words, owning up to maybe just a few paltry 201. Last week, in the course of a Congressional grilling, that …
Jane Fae , 08 Nov 2017
Double thumbs up photo via Shutterstock

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

The Internet Engineering Task Force (IETF) has just put out a new draft for a standard that would enable folks to effectively bypass surveillance equipment on their networks to maintain secure connections. The working draft from three Cisco employees notes that so-called middleboxes – which intercept and decrypt connections – …
Kieren McCarthy, 08 Nov 2017
FBI

You know what's coming next: FBI is upset it can't get into Texas church gunman's smartphone

FBI agents investigating the murder-suicide of 26 people in a church in Sutherland Springs, Texas, on Sunday, have said they can't yet unlock the shooter's smartphone. In a press conference on Tuesday, special agent Chris Combs said that investigations into the motives and actions of the gunman was ongoing, but that his mobe …
Iain Thomson, 08 Nov 2017
Android logo

KRACK whacked, media playback holes packed, other bugs go splat in Android patch pact

Google has released its November security update for Android, addressing a bag of security holes. You should install them as soon as they are available for your phone, tablet and other gadgets. Depending on your mobile carrier and device manufacturer, they may arrive immediately, soon, late or never. Among the holes covered …
Shaun Nichols, 07 Nov 2017
Linux penguin canape... snacks. Photo by SHutterstock

Don't worry about those 40 Linux USB security holes. That's not a typo

The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov. That's just the tip of the iceberg. In an email to The Register, …
Thomas Claburn, 07 Nov 2017
failure

Parity calamity! Wallet code bug destroys $280 MEEELLION in Ethereum

There's a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity's wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently. Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user …
Iain Thomson, 07 Nov 2017

Mirai, Mirai, pwn them all, who's the greatest botnet on the whole?

The Mirai botnet is alive and kicking more than a year after its involvement in a DDoS attack that left many of the world's biggest websites unreachable. DNS provider Dyn reckons about 100,000 Mirai-infected gadgets knocked it out back in October 2016. A study by security ratings firm SecurityScorecard, out Tuesday, found that …
John Leyden, 07 Nov 2017
Angry man yelling on phone while reading vintage printer paper report. Photo by SHutterstock

Oh Brother: Hackers can crash your unpatched printers – researchers

Updated Security researchers have said they've uncovered a new way for hackers to crash Brother printers. More specifically, they've put out an advisory saying a vulnerability in the web front-end of Brother printers (the Debut embedded http server) allows an attacker to launch a Denial of Service attack. The attack might be carried …
John Leyden, 07 Nov 2017
OpenOffice and LibreOffice share a common ancestry

Apache OpenOffice: We're OK with not being super cool... PS: Watch out for that Mac bug

Interview Apache OpenOffice 4.1.4 finally shipped on October 19, five months later than intended, but the software is still a bit buggy. The resource-starved open-source project had been looking to release the update around Apache Con in mid-May, but missed the target, not altogether surprising given persistent concerns about a lack of …
Thomas Claburn, 07 Nov 2017

Boffins tear into IEEE's tissue-thin anti-hacker chip blueprint crypto

Several large gaps have been found in the IEEE's P1735 cryptography standard that can be exploited to unlock or tamper with encrypted system-on-chip blueprints. The P1735 scheme was designed so that chip designers could, ideally, shield their intellectual property from prying eyes. When you're creating a system-on-chip …
Iain Thomson, 07 Nov 2017
WiFi outage

It's 2017 and you can still pwn Android gear with Wi-Fi packets – so get patching now

A security researcher has turned up new ways to silently hijack and infect Android devices via malicious Wi-Fi packets over the air. Scotty Bauer, a Linux kernel developer, described in detail on Monday how he found a bunch of exploitable programming blunders in the qcacld Wi-Fi driver that supports Qualcomm Atheros chipsets. …
UFC

Let's get ready to grumble! UFC secretly choke slams browsers with Monero miners

Yet another website has been caught secretly running Coin Hive's JavaScript that silently pressgangs visitors' computers into mining the Monero digital currency. On Monday, it was the turn of Ultimate Fighting Championship's pay-per-view ufc.tv site, which streams mixed martial arts battles in which men and women in tight …
Iain Thomson, 07 Nov 2017
Tax haven

Paradise Papers were not an inside job, says leaky offshore law firm

Revelations from the Paradise Papers, a leaked set of more than 13 million financial documents, have shed light on how the rich and famous channel funds through offshore tax havens. Among early stories spawned from the leak and published over the weekend are allegations that Russia funded Facebook and Twitter investments …
John Leyden, 06 Nov 2017

ATM fees shake-up may push Britain towards cashless society

Thousands of free-to-use cash machines could be axed from Britain's high streets due to plans to cut fees that fund the network, banking industry group LINK warned last week. LINK has a strategy to minimise the impact to consumers due to a proposed reduction in fees over the next four years from around 25p to 20p per cash …
John Leyden, 06 Nov 2017
Astronaut

ViaSat hops into bed with European Space Agency in €68m deal

Satellite outfit ViaSat is forming a €68m (£60m) public-private partnership with the European Space Agency (ESA), which among other things is intended to fund ground stations for home broadband speeds of 100Mbps. The programme will focus on developing fixed and mobile terminals to allow its ViaSat-3 satellites to provide a …
Kat Hall, 06 Nov 2017

Crumbs! Crunchyroll distributed malware for a couple of hours

Popular anime streamer Crunchyroll is warning users to check their systems for malware, after attackers got access to its Cloudflare config and targeted Windows users with a malicious file. The attack only lasted 150 minutes – from 0330 to 0600 Pacific Time on Sunday November 5 (when owner Ellation took the site down). As the …

DoS scum attacked one-third of the 'net between 2015 and 2017

One-third of all /24 networks recently estimated to be active on the Internet have suffered at least one denial-of-service attack over the last two years. That's the headline number from a two-year study conducted by the Center for Applied Internet Data Analysis (CAIDA), published last week. CAIDA conducted the study to …

OpenSSL patches, Apple bug fixes, Hilton's $700k hack bill, Kim Dotcom raid settlement, Signal desktop app, and more

Happy weekend, everyone, except those of you on call, of course. Let us catch you up on all the IT security bits and pieces besides what's been reported this week. Down in New Zealand, Kim Dotcom, the bête noire of Hollywood, reached a settlement with the New Zealand authorities over a rather dramatic raid in 2012 on his home …
Iain Thomson, 04 Nov 2017
Whatsapp running on an iPhone

Over a million Android users fooled by fake WhatsApp app in official Google Play Store

Once again Google's Play Store has proved less than excellent at tackling malicious apps, after netizens found a fake version of WhatsApp that was good enough to fool over a million people into downloading it. The rogue program was spotted by Redditors earlier today, and the software looks very much like the real deal. However …
Iain Thomson, 03 Nov 2017
all clear

Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe

Senior Equifax executives sold their shares in the credit agency just before its stock price plunged when the world was told it had been thoroughly hacked. The US biz has since probed the transactions, and you'll all be extremely pleased to learn of that investigation's conclusion: there was no wrongdoing, nothing untoward, …
Iain Thomson, 03 Nov 2017
Estonia folk dancers in traditional costume

Estonia government locks down ID smartcards: Refresh or else

The Estonian government is suspending the use of the Baltic country’s identity smartcards in response to a recently discovered and wide-ranging security flaw. Residents of the Baltic country will still be able to use smartphone equivalent of the technology, which is used to access government services and online banking. Use of …
John Leyden, 03 Nov 2017

Biggest Tor overhaul in a decade adds layers of security improvements

Tor developers have taken the wraps off the next generation of onion services. The alpha release promises the biggest overhaul in the anonymizing network for the past 10 years. The opening section of the change log provides a good overview of the tweaks, some of which aim to address recently discovered security weaknesses in …
John Leyden, 03 Nov 2017
Mobile banking, image via Shutterstock

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Analysis High street banks should be exemplars of good security but many are letting the side down when it comes to following cryptographic best practice. Tests by security researcher Scott Helme and The Register showed a marked divergence in performance. We assessed the security of online login sites run by six UK high street banks …
John Leyden, 03 Nov 2017
Russian hacking

US says it's identified six Russian officials as DNC hack suspects

The US government has identified "more than six members of the Russian government" involved in hacking the Democratic National Committee's computers and leaking information during last year's presidential election. The Wall Street Journal reports that Justice Department officials are in the early stages of deciding whether to …
John Leyden, 02 Nov 2017
silence

Hackers tiptoe out, launch Silence trojan, quietly raid banks of meeelllions

Cybercrooks are directly attacking banks in multiple countries using a trojan dubbed Silence. At least 10 financial organisations in multiple regions including Russia, Armenia, and Malaysia have been targeted by the so-called Silence crew in a series of ongoing attacks. While stealing funds from its victims, Silence runs …
John Leyden, 02 Nov 2017
cloud_fail

Subscription disappointments keep FireEye in the red

FireEye won't reach profitability this calendar year: it posted a US$72.9 third-quarter net loss on revenue that grew 1.7 per cent to $189.6 million. However, the security company was able to announce that whoever breached one of its employees' accounts in July has been cuffed. In spite of claims that the company's networks …
grades

FBI: Student wrestler grappled grades after choking passwords from PCs using a key logger

A former chemistry student allegedly used keystroke-logging gadgets to steal tutors' passwords, changed classmates' grades and downloaded copies of exams ahead of time. Amateur wrestler Trevor Graves, 22, who studied at the University of Iowa, in the US, was arrested and indicted this month on two hacking charges – each of …
Iain Thomson, 01 Nov 2017

Biting the hand that feeds IT © 1998–2017